Assisting android application developers with automatic recommendation of permissions
The Android platform enjoys the largest market share in mobile applications (84% at the end of 2014). Applications for Android are written mainly in Java and commonly referred to as 'apps'. The explicit permission mechanism imposes a few additional requirements on app developers. App developers not only need the knowledge of which APIs to use to implement the features of an app, but also of any required permissions. On one hand, a missed permission (i.e., a false negative) could result in malfunctioning of the feature (e.g., app crashes). On the other hand, unnecessary permissions (i.e., false positives) could introduce false dependencies, user confusion, marketplace rejection, or even expose risks (e.g., malware threats). Unfortunately, API from/to permission traceability is not necessarily explicitly documented. The thesis presents an approach, named ApMiner, which relies on association rule discovery to identify co-occurrence patterns of Android APIs and permissions. Based on the usage of APIs and permissions in other apps published in a marketplace, the approach is able to learn and help a developer of a new app to recommend the permissions to be added, given the APIs being used. ApMiner has been empirically evaluated on 600 apps from F-Droid, a marketplace for free and open source apps. We compared ApMiner with the state-of-the-art approaches Androguard and PScout, which rely on traditional static and dynamic analyses to recommend permissions. Results show that ApMiner has statistically significant and substantial precision gains (about 1.5 to 2 times in reducing false positives) over the compared approaches, while keeping a similar or slightly better level of recall (i.e., a measure of false negatives). Overall, our findings suggest that a mining based approach could offer much improved effectiveness in automatically recommending permissions in developing (new) Android apps.