Skip to main content
SpringerLink
Log in

Attention: there is an inconsistency between android permissions and application metadata!

  • Regular Contribution
  • Published:
International Journal of Information Security Aims and scope Submit manuscript

    We’re sorry, something doesn't seem to be working properly.

    Please try refreshing the page. If that doesn't work, please contact support so we can address the problem.

Abstract

Since mobile applications make our lives easier, there is a large number of mobile applications customized for our needs in the application markets. While the application markets provide us a platform for downloading applications, it is also used by malware developers in order to distribute their malicious applications. In Android, permissions are used to prevent users from installing applications that might violate the users’ privacy by raising their awareness. From the privacy and security point of view, if the functionality of applications is given in sufficient detail in their descriptions, then the requirement of requested permissions could be well-understood. This is defined as description-to-permission fidelity in the literature. In this study, we propose two novel models that address the inconsistencies between the application descriptions and the requested permissions. The proposed models are based on the current state-of-art neural architectures called attention mechanisms. Here, we aim to find the permission statement words or sentences in app descriptions by using the attention mechanism along with recurrent neural networks. The lack of such permission statements in application descriptions creates a suspicion. Hence, the proposed approach could assist in static analysis techniques in order to find suspicious apps and to prioritize apps for more resource intensive analysis techniques. The experimental results show that the proposed approach achieves high accuracy.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6
Fig. 7
Fig. 8
Fig. 9
Fig. 10

Similar content being viewed by others

Notes

  1. https://wise.cs.hacettepe.edu.tr/projects/security-risks/dataset/.

  2. https://wise.cs.hacettepe.edu.tr/projects/security-risks/dataset/.

  3. We use Porter stemmer [44].

  4. https://www.nltk.org/.

  5. https://github.com/bsolomon1124/demoji.

  6. https://dynet.readthedocs.io/en/latest/tutorial.html.

  7. The implementation will be publicly available if the paper gets accepted.

References

  1. Android developer guide. https://developer.android.com/. Last accessed in May, 2019 (2019)

  2. Camera api. https://developer.android.com/guide/topics/media/camera.html. Last accessed in May, 2019 (2019)

  3. Dangerous permissions. https://developer.android.com/guide/topics/permissions/overview#dangerous_permissions. Last accessed in September, 2019 (2019)

  4. Intent—android developers. https://developer.android.com/reference/android/content/Intent.html. Last accessed in May, 2019 (2019)

  5. Permissions overview. https://developer.android.com/guide/topics/permissions/overview. Last accessed in May, 2019 (2019)

  6. Read external storage permission. https://developer.android.com/reference/android/Manifest.permission#READ_EXTERNAL_STORAGE. Last accessed in September, 2019 (2019)

  7. Sending simple data to other apps—android developers. https://developer.android.com/training/sharing/send.html. Last accessed in May, 2019 (2019)

  8. Arp, D., Spreitzenbarth, M., Hübner, M., Gascon, H., Rieck, K.: Drebin: Effective and explainable detection of android malware in your pocket (2014). https://doi.org/10.14722/ndss.2014.23247

  9. Au, K.W.Y., Zhou, Y.F., Huang, Z., Lie, D.: Pscout: analyzing the android permission specification. In: Proceedings of the 2012 ACM Conference on Computer and Communications Security, pp. 217–228. ACM (2012)

  10. Aysan, A.I., Sakiz, F., Sen, S.: Analysis of dynamic code updating in android with security perspective. IET Inf. Secur. 13(3), 269–277 (2018)

    Article  Google Scholar 

  11. Bahdanau, D., Cho, K., Bengio, Y.: Neural machine translation by jointly learning to align and translate (2014). arXiv:1409.0473

  12. Ban, T., Takahashi, T., Guo, S., Inoue, D., Nakao, K.: Integration of multi-modal features for android malware detection using linear svm. In: 2016 11th Asia SConference on Information Security (AsiaJCIS), pp. 141–146. IEEE (2016)

  13. Bird, S., Klein, E., Loper, E.: Natural Language Processing with Python: Analyzing Text with the Natural Language Toolkit. O’Reilly Media, Inc, Newton (2009)

    MATH  Google Scholar 

  14. Bojanowski, P., Grave, E., Joulin, A., Mikolov, T.: Enriching word vectors with subword information. TACL 5, 135–146 (2017)

    Article  Google Scholar 

  15. Caira, J.R.J., Ey, T.: Heads up, app developers: Google is getting serious about privacy and data security in apps (Visited September 2020) (2020) https://www.natlawreview.com/article/heads-app-developers-google-getting-serious-about-privacy-and-data-security-apps

  16. Chawla, N.V.: Data Mining for Imbalanced Datasets: An Overview, pp. 853–867. Springer, Boston, MA (2005). https://doi.org/10.1007/0-387-25465-X_40

    Book  Google Scholar 

  17. Cheng, X., Yan, X., Lan, Y., Guo, J.: Btm: topic modeling over short texts. IEEE Trans. Knowl. Data Eng. 26(12), 2928–2941 (2014)

    Article  Google Scholar 

  18. Cho, K., van Merrienboer, B., Gülçehre, Ç., Bougares, F., Schwenk, H., Bengio, Y.: Learning phrase representations using RNN encoder–decoder for statistical machine translation (2014). CoRR arXiv:1406.1078

  19. Devlin, J., Chang, M.W., Lee, K., Toutanova, K.: Bert: Pre-training of deep bidirectional transformers for language understanding (2018). arXiv preprint arXiv:181004805

  20. Dong, L., Lapata, M.: Language to logical form with neural attention (2016). arXiv preprint arXiv:160101280

  21. Elman, J.: Finding structure in time. Cogn. Sci. 14(2), 179–211 (1990)

    Article  Google Scholar 

  22. Felt, A.P., Ha, E., Egelman, S., Haney, A., Chin, E., Wagner, D.: Android permissions: user attention, comprehension, and behavior. In: Proceedings of the Eighth Symposium on Usable Privacy and Security, ACM, New York, NY, USA, SOUPS ’12, pp. 3:1–3:14 (2012). https://doi.org/10.1145/2335356.2335360

  23. Feng, Y., Chen, L., Zheng, A., Gao, C., Zheng, Z.: Ac-net: assessing the consistency of description and permission in android apps. IEEE Access 7, 57829–57842 (2019). https://doi.org/10.1109/ACCESS.2019.2912210

    Article  Google Scholar 

  24. Finegan-Dollak, C., Kummerfeld, J.K., Zhang, L., Ramanathan, K., Sadasivam, S., Zhang, R., Radev, D.: Improving text-to-sql evaluation methodology (2018). arXiv preprint arXiv:180609029

  25. Gabrilovich, E., Markovitch, S.: Computing semantic relatedness using wikipedia-based explicit semantic analysis. In: Proceedings of the 20th International Joint Conference on Artifical Intelligence, Morgan Kaufmann Publishers Inc., San Francisco, CA, USA, IJCAI’07, pp. 1606–1611 (2007)

  26. Glorot, X., Bengio, Y.: Understanding the difficulty of training deep feedforward neural networks. In: AISTATS (2010)

  27. GooglePlay: Privacy, security and deception (Visited September 2020) (2020). https://play.google.com/intl/en-US/about/privacy-security-deception/

  28. Gorla, A., Tavecchia, I., Gross, F., Zeller, A.: Checking app behavior against app descriptions. In: Proceedings of the 36th International Conference on Software Engineering, ACM, New York, NY, USA, ICSE 2014, pp. 1025–1035 (2014). https://doi.org/10.1145/2568225.2568276

  29. Grave, E., Bojanowski, P., Gupta, P., Joulin, A., Mikolov, T.: Learning word vectors for 157 languages (2018)

  30. Hearst, M.A.: Support vector machines. IEEE Intell. Syst. 13(4), 18–28 (1998). https://doi.org/10.1109/5254.708428

    Article  Google Scholar 

  31. Hochreiter, S., Schmidhuber, J.: Long short-term memory. Neural Comput. 9(8), 1735–1780 (1997). https://doi.org/10.1162/neco.1997.9.8.1735

    Article  Google Scholar 

  32. Kong, D., Cen, L., Jin, H.: Autoreb: Automatically understanding the review-to-behavior fidelity in android applications. In: Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security, pp. 530–541. ACM (2015)

  33. Li, Z., Zhang, Y., Wei, Y., Wu, Y., Yang, Q.: End-to-end adversarial memory network for cross-domain sentiment classification. In: Proceedings of the 26th International Joint Conference on Artificial Intelligence, AAAI Press, IJCAI’17, pp. 2237–2243 (2017)

  34. Martín, A., Calleja, A., Menéndez, H.D., Tapiador, J., Camacho, D.: Adroit: android malware detection using meta-information. In: 2016 IEEE Symposium Series on Computational Intelligence (SSCI), pp. 1–8 (2016). https://doi.org/10.1109/SSCI.2016.7849904

  35. McAfee: Mcafee mobile threat report. (Visited August 2019) (2019). https://www.mcafee.com/enterprise/en-us/assets/reports/rp-mobile-threat-report-2019.pdf

  36. Mikolov, T., Chen, K., Corrado, G., Dean, J.: Efficient estimation of word representations in vector space (2013). arXiv preprint arXiv:13013781

  37. Mikolov, T., Sutskever, I., Chen, K., Corrado, G.S., Dean, J.: Distributed representations of words and phrases and their compositionality. In: Burges, C.J.C., Bottou, L., Welling, M., Ghahramani, Z., Weinberger, K.Q. (eds.) Advances in Neural Information Processing Systems 26, pp. 3111–3119. Curran Associates, Inc., New York (2013)

    Google Scholar 

  38. Mikolov, T., Grave, E., Bojanowski, P., Puhrsch, C., Joulin, A.: Advances in pre-training distributed word representations. In: Proceedings of the International Conference on Language Resources and Evaluation (LREC 2018) (2018)

  39. Miller, G.A.: Wordnet: a lexical database for English. Commun. ACM 38(11), 39–41 (1995). https://doi.org/10.1145/219717.219748

    Article  Google Scholar 

  40. Nguyen, D.C., Derr, E., Backes, M., Bugiel, S.: Short text, large effect: measuring the impact of user reviews on android app security & privacy. In: Proceedings of the IEEE Symposium on Security & Privacy, May 2019. IEEE, (2019). https://publications.cispa.saarland/2815/

  41. Oberheide, J., Miller, C.: Dissecting the android bouncer. In: SummerCon2012, New York (2012)

  42. Pandita, R., Xiao, X., Yang, W., Enck, W., Xie, T.: Whyper: towards automating risk assessment of mobile applications. In: Proceedings of the 22Nd USENIX Conference on Security, USENIX Association, Berkeley, CA, USA, SEC’13, pp. 527–542 (2013)

  43. Pascanu, R., Mikolov, T., Bengio, Y.: On the difficulty of training recurrent neural networks. In: Proceedings of the 30th International Conference on International Conference on Machine Learning—vol. 28, JMLR.org, ICML’13, pp. III–1310–III–1318 (2013)

  44. Porter, M.F.: Readings in Information Retrieval, Chap An Algorithm for Suffix Stripping, pp 313–316. Morgan Kaufmann Publishers Inc., San Francisco, CA, USA (1997)

  45. Qu, Z., Rastogi, V., Zhang, X., Chen, Y., Zhu, T., Chen, Z.: Autocog: measuring the description-to-permission fidelity in android applications. In: Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security, ACM, New York, NY, USA, CCS ’14, pp. 1354–1365 (2014) https://doi.org/10.1145/2660267.2660287

  46. Rastogi, V., Chen, Y., Jiang, X.: Droidchameleon: evaluating android anti-malware against transformation attacks. In: Proceedings of the 8th ACM SIGSAC symposium on Information, computer and communications security. ACM, pp. 329–334 (2013)

  47. Sen, S., Aydogan, E., Aysan, A.I.: Coevolution of mobile malware and anti-malware. IEEE Trans. Inf. Forensics Secur. 13(10), 2563–2574 (2018)

    Article  Google Scholar 

  48. Statista: Number of apps available in leading app stores as of 2nd quarter 2019. (Visited August 2019) (2019). https://www.statista.com/statistics/276623/number-of-apps-available-in-leading-app-stores/

  49. Toivonen, H.: Apriori Algorithm, p. 60. Springer, Boston, MA (2017). https://doi.org/10.1007/978-1-4899-7687-1_27

    Book  Google Scholar 

  50. Wang, H., Li, Y., Guo, Y., Agarwal, Y., Hong, J.I.: Understanding the purpose of permission use in mobile apps. ACM Trans. Inf. Syst. (TOIS) 35(4), 43 (2017)

    Google Scholar 

  51. Wang, R., Wang, Z., Tang, B., Zhao, L., Wang, L.: Smartpi: understanding permission implications of android apps from user reviews. IEEE Trans. Mobile Comput. 19, 2933–2945 (2019)

    Article  Google Scholar 

  52. Watanabe, T., Akiyama, M., Sakai, T., Mori, T.: Understanding the inconsistencies between text descriptions and the use of privacy-sensitive resources of mobile apps. In: Eleventh Symposium on Usable Privacy and Security (SOUPS 2015), USENIX Association, Ottawa, pp. 241–255 (2015). https://www.usenix.org/conference/soups2015/proceedings/presentation/watanabe

  53. Wu, J., Yang, M., Luo, T.: Pacs: Pemission abuse checking system for android applictions based on review mining. In: 2017 IEEE Conference on Dependable and Secure Computing, pp. 251–258 (2017). https://doi.org/10.1109/DESEC.2017.8073813

  54. Xu, K., Ba, J., Kiros, R., Cho, K., Courville, A., Salakhutdinov, R., Zemel, R., Bengio, Y.: Show, attend and tell: Neural image caption generation with visual attention (2015). arXiv:1502.03044

  55. Xue, Y., Meng, G., Liu, Y., Tan, T.H., Chen, H., Sun, J., Zhang, J.: Auditing anti-malware tools by evolving android malware and dynamic loading technique. IEEE Trans. Inf. Forensics Secur. 12(7), 1529–1544 (2017)

    Article  Google Scholar 

  56. Yang, Z., Yang, D., Dyer, C., He, X., Smola, A., Hovy, E.: Hierarchical attention networks for document classification. In: Proceedings of the 2016 Conference of the North American Chapter of the Association for Computational Linguistics: Human Language Technologies, pp. 1480–1489 (2016)

  57. Yang, Z., Yang, D., Dyer, C., He, X., Smola, A.J., Hovy, E.H.: Hierarchical attention networks for document classification. In: HLT-NAACL (2016)

  58. Yu, L., Luo, X., Qian, C., Wang, S.: Revisiting the description-to-behavior fidelity in android applications. In: 2016 IEEE 23rd International Conference on Software Analysis, Evolution, and Reengineering (SANER), vol. 1, pp. 415–426. IEEE (2016)

  59. Yu, L., Luo, X., Qian, C., Wang, S., Leung, H.K.: Enhancing the description-to-behavior fidelity in android apps with privacy policy. IEEE Trans. Softw. Eng. 44(9), 834–854 (2017)

    Article  Google Scholar 

  60. Yu, L., Zhang, T., Luo, X., Xue, L., Chang, H.: Toward automatically generating privacy policy for android apps. IEEE Trans. Inf. Forensics Secur. 12(4), 865–880 (2017). https://doi.org/10.1109/TIFS.2016.2639339

    Article  Google Scholar 

  61. Zhang, M., Duan, Y., Feng, Q., Yin, H.: Towards automatic generation of security-centric descriptions for android apps. In: Proceedings of the 22Nd ACM SIGSAC Conference on Computer and Communications Security, ACM, New York, NY, USA, CCS ’15, pp. 518–529 (2015). https://doi.org/10.1145/2810103.2813669

  62. Zhou, X., Wan, X., Xiao, J.: Attention-based LSTM network for cross-lingual sentiment classification. In: Proceedings of the 2016 Conference on Empirical Methods in Natural Language Processing, Association for Computational Linguistics, Austin, TX, pp. 247–256 (2016). https://doi.org/10.18653/v1/D16-1024

Download references

Acknowledgements

We thank Muhammet Kabukçu and Beyza Çevik for their help in constructing the DesRe dataset.

Funding

This study is supported by the Scientific and Technological Research Council of Turkey (TUBITAK-118E141).

Author information

Authors and Affiliations

  1. Middle East Technical University, Ankara, Turkey

    Huseyin Alecakir

  2. RIILP, University of Wolverhampton, Wolverhampton, UK

    Burcu Can

  3. WISE Lab, Hacettepe University, Ankara, Turkey

    Sevil Sen

Authors
  1. Huseyin Alecakir
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Burcu Can
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Sevil Sen
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Huseyin Alecakir.

Ethics declarations

Conflict of interest

Huseyin Alecakir, Burcu Can and Sevil Sen declares that they have no conflict of interest.

Ethical approval

This article does not contain any study with human participants or animals performed by any of the authors.

Additional information

Publisher's Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Alecakir, H., Can, B. & Sen, S. Attention: there is an inconsistency between android permissions and application metadata!. Int. J. Inf. Secur. 20, 797–815 (2021). https://doi.org/10.1007/s10207-020-00536-1

Download citation

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s10207-020-00536-1

Keywords

Search

Navigation