Publication Type

Journal Article

Version

acceptedVersion

Publication Date

7-2025

Abstract

Android system provides application developers with the ability to define custom permissions, which serve to moderate the sharing of resources and interactions with other applications. However, poor development practices of developers can render the permission mechanism ineffective, weakening the system protection. This paper presents a comprehensive examination of the problematic practices surrounding custom permissions employed by developers, referred to as Bad Practices of Custom Permissions (BPCP issues). To accomplish this, we conducted an empirical study and identified nine common BPCP issue patterns that can lead to various adverse consequences, such as installation failures, crashes, or even component hijacking. To automatically identify these patterns of bad practices, we devised PERMEAGRE, a static analysis tool. Using PERMEAGRE, we performed a large-scale analysis of 83,085 applications obtained from seven major app markets, aiming to detect instances of BPCP issues. The results revealed that more than 26% of the analyzed apps contained at least one issue, and a significant number of apps had garnered millions of downloads. Drawing from the empirical results, we further systemize the underlying root causes of these issues. Consequently, this analysis sheds light on the potential threat landscape associated with bad practices in custom permissions, emphasizing the urgent requirement for effective mitigation strategies.

Keywords

Android, custom permission, static analysis, empirical study

Discipline

Information Security

Research Areas

Cybersecurity

Publication

IEEE Transactions on Dependable and Secure Computing

Volume

22

Issue

4

First Page

3208

Last Page

3223

ISSN

1545-5971

Identifier

10.1109/TDSC.2024.3525049

Publisher

Institute of Electrical and Electronics Engineers

Copyright Owner and License

Authors

Additional URL

https://doi.org/10.1109/TDSC.2024.3525049

Download

Share

COinS