Making Smartphone Application Permissions Meaningful for the Average User

TL;DR

This paper proposes a middleware-based approach to improve smartphone permission systems by aligning them more closely with user-perceived services, making permissions more meaningful and reducing security gaps.

Contribution

It introduces a novel middleware solution that redefines app permissions around user-tangible services, bridging the gap between current coarse/fine permissions and user understanding.

Findings

Middleware effectively wraps existing permission systems

Improves user understanding of app permissions

Reduces security vulnerabilities from malicious apps

Abstract

Smartphones hold important private information, yet users routinely expose this information to questionable applications written by developers they know nothing about. Users may be tempted to think of smartphones as old-style dumb phones, not as powerful network-connected computers, and this opens a gap between the permissions-based security paradigm (offered by platforms like Android) and what users expect. This makes it easy to fool users into installing applications that steal their information. Not surprisingly, Android is now a more favored target for hackers than Windows. We propose an approach for closing this gap, based on the observation that the current permissions system--rooted in good ol' UNIX-style thinking--is both too coarse and too fine grained, because it uses the wrong axes for defining the permissions space. We argue for replacing the paradigm in which "an app accesses device resources" (which is foreign to most non-geeks) with a paradigm in which "an app accesses user-tangible services." By using a simple piece of middleware, we can wrap this view of application control around today's permission system, and, by doing so, no conceptual refactoring of applications is required.