Quantifying Permission-Creep in the Google Play Store

TL;DR

This study analyzes the evolution of dangerous permission usage in Android apps over 20 months, revealing increasing permission requests, especially among popular and free apps, and potential mis-specification of permissions by developers.

Contribution

It provides a longitudinal analysis of dangerous permission trends in Android apps, highlighting issues in permission requests and developer practices.

Findings

Approximately 25,000 apps request more permissions every three months.

Popular and free apps are more likely to request additional permissions.

Evidence suggests developers may mis-specify app permissions.

Abstract

Although there are over 1,600,000 third-party Android apps in the Google Play Store, little has been conclusively shown about how their individual (and collective) permission usage has evolved over time. Recently, Android 6 overhauled the way permissions are granted by users, by switching to run-time permission requests instead of install-time permission requests. This is a welcome change, but recent research has shown that many users continue to accept run-time permissions blindly, leaving them at the mercy of third-party app developers and adversaries. Beyond intentionally invading privacy, highly privileged apps increase the attack surface of smartphones and are more attractive targets for adversaries. This work focuses exclusively on dangerous permissions, i.e., those permissions identified by Android as guarding access to sensitive user data. By taking snapshots of the Google Play Store over a 20-month period, we characterise changes in the number and type of dangerous permissions used by Android apps when they are updated, to gain a greater understanding of the evolution of permission usage. We found that approximately 25,000 apps asked for additional permissions every three months. Worryingly, we made statistically significant observations that free apps and highly popular apps were more likely to ask for additional permissions when they were updated. By looking at patterns in dangerous permission usage, we find evidence that suggests developers may still be failing to correctly specify the permissions their apps need.