Android Permissions Remystified: A Field Study on Contextual Integrity

TL;DR

This study investigates how often Android apps access protected resources unexpectedly, revealing user concerns about privacy invasions and the need for better permission controls based on real-world data.

Contribution

The paper provides empirical data on Android permission usage in daily life and highlights user preferences for more granular permission management.

Findings

80% of participants wanted to deny at least one permission request

Over a third of permission requests were considered invasive by users

Users desire mechanisms to block invasive permission requests

Abstract

Due to the amount of data that smartphone applications can potentially access, platforms enforce permission systems that allow users to regulate how applications access protected resources. If users are asked to make security decisions too frequently and in benign situations, they may become habituated and approve all future requests without regard for the consequences. If they are asked to make too few security decisions, they may become concerned that the platform is revealing too much sensitive information. To explore this tradeoff, we instrumented the Android platform to collect data regarding how often and under what circumstances smartphone applications are accessing protected resources regulated by permissions. We performed a 36-person field study to explore the notion of "contextual integrity," that is, how often are applications accessing protected resources when users are not expecting it? Based on our collection of 27 million data points and exit interviews with participants, we examine the situations in which users would like the ability to deny applications access to protected resources. We found out that at least 80% of our participants would have preferred to prevent at least one permission request, and overall, they thought that over a third of requests were invasive and desired a mechanism to block them.