On the Security and Engineering Implications of Finer-Grained Access Controls for Android Developers and Users

One of the main security mechanisms in Android is the permission system. Previous research has pointed out that this system is too coarse-grained. Hence, several mechanisms have been proposed to address this issue. However, to date, the impact of changes in the current permission system on both end users and software developers has not been studied, and no significant work has been done to determine whether adopting a finer-grained permission system would be feasible in practice. In this work, we perform the first study to explore the practicality of the adoption of finer-grained system for the Internet permission. In particular, we have developed several analysis tools that we used to perform an empirical study on 1,227 real-world Android applications. The results of this study provide useful insights to answer the following three conceptual questions: 1) Is it practical to apply fine-grained access control mechanisms to real-world Android applications? 2) How can a system for fine-grained permission enforcement be integrated into the application development and distribution life-cycle with minimal additional required effort? 3) What are the incentives and practical benefits for both developers and end users to adopt a fine-grained permission model? Our preliminary results show that, in general, finer-grained permissions could be practical and desirable for Android applications. In addition, we show how the tools we have developed can be used to automatically generate and enforce security policies, and thus could be used to lower the burden of adoption of finer-grained permission systems.