Aper: Evolution-Aware Runtime Permission Misuse Detection for Android Apps

Sinan Wang, Yibo Wang, Xian Zhan, Ying Wang, Yepang Liu, Xiapu Luo, Shing-Chi Cheung

Research output: Chapter in book / Conference proceedingConference article published in proceeding or bookAcademic researchpeer-review

6 Citations (Scopus)

Abstract

The Android platform introduces the runtime permission model in version 6.0. The new model greatly improves data privacy and user experience, but brings new challenges for app developers. First, it allows users to freely revoke granted permissions. Hence, developers cannot assume that the permissions granted to an app would keep being granted. Instead, they should make their apps carefully check the permission status before invoking dangerous APIs. Second, the permission specification keeps evolving, bringing new types of compatibility issues into the ecosystem. To understand the impact of the challenges, we conducted an empirical study on 13,352 popular Google Play apps. We found that 86.0% apps used dangerous APIs asynchronously after permission management and 61.2% apps used evolving dangerous APIs. If an app does not properly handle permission revocations or platform differences, unexpected runtime issues may happen and even cause app crashes. We call such Android Runtime Permission issues as ARP bugs. Unfortunately, existing runtime permission issue detection tools cannot effectively deal with the ARP bugs induced by asynchronous permission management and permission specification evolution. To fill the gap, we designed a static analyzer, Aper, that performs reaching definition and dominator analysis on Android apps to detect the two types of ARP bugs. To compare Aper with existing tools, we built a benchmark, ARPfix, from 60 real ARP bugs. Our experiment results show that Aper significantly outperforms two academic tools, ARPDroid and RevDroid, and an industrial tool, Lint, on ARPfix, with an average improvement of 46.3% on F1-score. In addition, Aper successfully found 34 ARP bugs in 214 open-source Android apps, most of which can result in abnormal app behaviors (such as app crashes) according to our manual validation. We reported these bugs to the app developers. So far, 17 bugs have been confirmed and seven have been fixed.
Original languageEnglish
Title of host publicationProceedings of the 44th International Conference on Software Engineering (ICSE)
PublisherAssociation for Computing Machinery (ACM)
Pages125-137
Number of pages2508
ISBN (Electronic)10.1145/3510003
ISBN (Print)9781450392211
Publication statusPublished - 5 Jul 2022
Event44th IEEE/ACM International Conference on Software Engineering: Software Engineering in Practice - Pittsburgh, United States
Duration: 22 May 202224 May 2022
https://ieeexplore.ieee.org/xpl/conhome/9793838/proceeding

Conference

Conference44th IEEE/ACM International Conference on Software Engineering: Software Engineering in Practice
Country/TerritoryUnited States
CityPittsburgh
Period22/05/2224/05/22
Internet address

Fingerprint

Dive into the research topics of 'Aper: Evolution-Aware Runtime Permission Misuse Detection for Android Apps'. Together they form a unique fingerprint.

Cite this