A static analysis tool and permission map for identifying permission use in Android applications
Contact: android at eecs.berkeley.edu
Overview
Parts of the Android API are protected with permissions. In order to access protected API calls, developers must request the appropriate permissions in their applications' manifests. If a developer asks for more permissions than an application needs, then the application is overprivileged. Preventing overprivilege is important. Extra permissions may (1) unnecessarily deter users from installing applications, (2) unnecessarily accustom users to accepting lots of permissions, and (3) needlessly increase the potential damage of application vulnerabilities. We built Stowaway, a static analysis tool that detects overprivilege in compiled Android applications. Stowaway determines the set of API calls that an application uses and then maps those API calls to permissions. We used automated testing tools on the Android API to build the permission map.
You can read our research paper for more information about how our static analysis tool works and how we collected the permission map data. The paper will be presented later this year at CCS 2011.
Parts of the Android API are protected with permissions. In order to access protected API calls, developers must request the appropriate permissions in their applications' manifests. If a developer asks for more permissions than an application needs, then the application is overprivileged. Preventing overprivilege is important. Extra permissions may (1) unnecessarily deter users from installing applications, (2) unnecessarily accustom users to accepting lots of permissions, and (3) needlessly increase the potential damage of application vulnerabilities. We built Stowaway, a static analysis tool that detects overprivilege in compiled Android applications. Stowaway determines the set of API calls that an application uses and then maps those API calls to permissions. We used automated testing tools on the Android API to build the permission map.
You can read our research paper for more information about how our static analysis tool works and how we collected the permission map data. The paper will be presented later this year at CCS 2011.
Deliverables
Here's how our work might be useful to you:
Here's how our work might be useful to you:
- Upload your app for analysis. Stowaway will tell you whether your application has any unnecessary permissions. Don't worry: the results will be displayed within a minute, and your app won't be saved on our server after the analysis is complete.
- Browse the permission map. Curious about whether a specific API call, Content Provider, or Intent needs a permission? Check out our permission map for Android 2.2.
- Download the full permission map. If you use our data set in your research, please cite our CCS 2011 paper.
Please be patient while Stowaway runs. Large applications (and slow upload speeds) can take a while.
This work is partially supported by National Science Foundation grants
CCF-0424422, 0311808, 0832943, 0448452, 0842694, a gift from Google, and the
MURI program under AFOSR grant FA9550-08-1-0352. This material is also based
upon work supported under a National Science Foundation Graduate Research
Fellowship. Any opinions, findings, conclusions, or recommendations expressed
here are those of the authors and do not necessarily reflect the views of the
National Science Foundation.