Understanding the bad development practices of Android custom permissions in the wild

Publication Type

Journal Article

Publication Date

7-2025

Abstract

Android system provides application developers with the ability to define custom permissions, which serve to moderate the sharing of resources and interactionswith other applications. However, poor development practices of developers can render the permission mechanism ineffective, weakening the system protection. This paper presents a comprehensive examination of the problematic practices surrounding custom permissions employed by developers, referred to as Bad Practices of Custom Permissions (BPCP issues). To accomplish this, we conducted an empirical study and identified nine common BPCP issue patterns that can lead to various adverse consequences, such as installation failures, crashes, oreven component hijacking. To automatically identify these patterns of bad practices, we devised PERMEAGRE, a static analysis tool. Using PERMEAGRE, we performed a large-scale analysis of 83,085 applications obtained from seven major app markets, aiming to detect instances of BPCP issues. The results revealed that more than 26% of the analyzed apps contained at least one issue, and a significant number of apps had garnered millions of downloads. Drawing from the empirical results, we further systemize the underlying root causes of these issues. Consequently, this analysis sheds light on the potential threat landscape associated with bad practices in custom permissions, emphasizing the urgent requirement for effective mitigation strategies.

Keywords

Android, custom permission, static analysis, empirical study

Discipline

Information Security

Publication

IEEE Transactions on Dependable and Secure Computing

Volume

22

Issue

4

First Page

3208

Last Page

3223

ISSN

1545-5971

Publisher

Institute of Electrical and Electronics Engineers

Additional URL

https://doi.org/10.1109/TDSC.2024.3525049

This document is currently not available here.

Share

COinS