Presented at: 19th IEEE International Working Conference on Source Code Analysis and Manipulation
Date of Conference: 30 Sept.-1 Oct. 2019
Conference Location: Cleveland, OH, USA
DOI: https://doi.org/10.1109/SCAM.2019.00034
SpotFlow: Tracking Method Calls and States at Runtime
Permission Issues in Open-Source Android Apps
1. Permission Issues in Open-Source
Android Apps: An Exploratory Study
Gian Luca Scoccia, Anthony Peruma, Virginia Pujols, Ivano Malavolta, Daniel E. Krutz
19th IEEE International Working Conference on Source Code Analysis and Manipulation
September 30-October 01, 2019
2. Research Goal & Contributions
Replication package availability
Provide a better understanding of permission-related issues
(PRIs) introduced and fixed by developers in Android apps
Frequency of PRIs in
a project and their
decay time
Type of developers
introducing and fixing
PRIs
2
3. Research Questions
1. What are the most common types of permission-related issues in Android
apps?
○ Help developers understand the most prevalent PRIs in their apps and better plan
implementation and maintenance tasks
2. How long do permission-related issues tend to remain in Android apps
across their lifetime?
○ Help developers better prioritize the addressing of PRIs
3. How does developers’ status within the project correlate with the introduction
of permission-related issues?
○ Provides insight on who should be making permission-based decisions for an app
3
4. Permission-Related Issues (PRIs)
Prior published tools
O Over-permission: too many permissions (violates the least
privilege principle).
M-Perm
U Under-permission: not enough requested permissions. M-Perm
MC Missing Check: checkSelfPermission() is not called when
requesting a permission.
P-Lint
MRP Multiple Requests in Proximity: Multiple permission
requested in close proximity, possibly overwhelming the user.
P-Lint
4
6. Common Types of PRIs in Android Apps
Findings:
● Permission-related issues are a frequent phenomenon in Android apps
● Over and under-permissions are the two most common issues
Action Item: Developers should integrate permission analysis tools (e.g., MPerm,
PLint) into their development workflow
● Observed a dependence
between PRIs - existence of one
type of PRI indicates that other
types are also present in the
code
6
7. Decay Time of PRIs in Android Apps
Action Item: Developers should pay increased attention to code that has been
written during early project life
Findings:
● Majority of PRIs are fixed in a timespan of a few days after their introduction
● PRI’s can remain in apps for extended periods of time - even years!
● MC issues are harder to
introduce but also harder to fix
once introduced - due to non
trivial code changes
7
8. Developers Responsibility Related to PRIs
Action Item: Developers should be cognizant of PRIs when implementing apps
Findings:
● PRI’s are introduced and fixed by regular contributors and newcomers
● Regular contributors are responsible for the majority of introductions and fixes
● Low association between developers’ status and PRI types introduced/fixed
Developers’ status when introducing PRIs Developers’ status when fixing PRIs
8
9. Summary
● Investigated permission related issues on 574 open-source Android apps
● Permission issues are frequent in Android apps
● Most issues are fixed in a few days, but can also linger for extended periods of
time
● Regular project contributors are responsible for introducing and fixing
permission issues
● Replication package is publically available
9