Assessing Privacy Risks in Android: A User-Centric Approach

The increasing presence of privacy violating apps in app marketplaces poses a significant privacy risk for smartphone users. Current approaches assessing privacy risk, lack user input, assuming that the value of each smartphone sub-asset (e.g. contact list, usage history) is perceived similarly across users. Thus, per user privacy risk assessment is not achievable. This paper refines our previous work on smartphone risk assessment by proposing an approach for assessing the privacy risk of Android users. Its cornerstone is impact valuation from users, as well as their usage profiles, which enables assessment of per user risk. Threat likelihood is assessed based on the presence of specific permission combinations, which we consider vulnerabilities that enable privacy threat scenarios. These permission combinations correspond to users’ app profiles, i.e. to the app categories of Google Play that each user regularly visits. Finally, the proposed method is demonstrated through a case study.