Semantic-aware Comment Analysis Approach for API Permission Mapping on Android
Pages 61 - 69
Abstract
As Android platform is protected by permissions, which is one of the most powerful access control models of Android, it is possible to restrict the use of certain sensitive APIs. In contrast, many applications declare permissions more than they need, requiring API permission specification to detect these cases. However, prominent previous research has not been focused on java documents or comment from Android developers, despite a lot of information. To address this problem, we propose a novel method to analyze naturally written comments from Android developers for API permission map construction. We extract all comments and java documents from raw Android source code and extract permission information using natural language processing techniques. At the same time, we parse naturally written source code and extract API signature, to perform the mapping between permission. Moreover, we categorize all permissions and APIs according to their behavior explained in the comment to measure the potential risk level resulted from misuse. Our experiment on Android 10, which is the latest version, mapped 3,012 APIs with permission, and categorized semantically with seven different categories.
References
[1]
Statistica, Android app releases worldwide, "https://www.statista.com/statistics/1020956/android-app-releases-worldwide/," last accessed Aug 2020.
[2]
Hamid Bagheri, Eunsuk Kang, Sam Malek, and Daniel Jackson, Manifest permission, "A formal approach for detection of security flaws in the android permission system," Formal Aspects of Computing, pp.525--544, 2018.
[3]
Yan Hu, Weiqiang Kong, Feng Ding, and Jun Yan, "Method-Level Permission Analysis Based on Static Call Graph of Android Apps," 2018 5th International Conference on Dependable Systems and Their Applications (DSA), pp.8--14, 2018.
[4]
Android Developers, Manifest permission, "https://developer.android.com/reference/android/Manifest.permission," last accessed Aug 2020.
[5]
Jianjun Huang, Xiangyu Zhang, and Lin Tan, "Detecting Sensitive Data Disclosure via Bi-directional Text Correlation Analysis," 2016 24th ACM SIGSOFT International Symposium on Foundations of Software Engineering, pp.169--180. 2016.
[6]
Lei Wu, Michael Grace, Yajin Zhou, Chiachih Wu, and Xuxian Jiang, "The impact of vendor customizations on android security," Proceedings of the 2013 ACM SIGSAC conference on Computer communications security (CCS '13), pp.623--634, 2013.
[7]
Kathy Wain Yee Au, Yi Fan Zhou, Zhen Huang, and David Lie, "PScout: Analyzing the Android Permission Specification," CCS '12: Proceedings of the 2012 ACM conference on Computer and communications security, pp.217--228, 2012.
[8]
Michael Backes, Sven Bugiel, Erik Derr, Patrick McDaniel, Damien Octeau, and Sebastian Weisgerber, "On Demystifying the Android Application Framework: Re-Visiting Android Permission Specification Analysis", 25th USENIX Security Symposium 2016, pp. 1101--1118, 2016.
[9]
Yousra Aafer, Guanhong Tao, Jianjun Huang, Xiangyu Zhang, and Ninghui Li, "Precise Android API Protection Mapping Derivation and Reasoning," CCS '18: Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security, pp.1151--1164, 2018.
[10]
Anthony Desnos, AndroGuard, "https://github.com/androguard/androguard," last accessed Aug 2020.
[11]
Michael Reif, Michael Eichberg, Ben Hermann, Johannes Lerch, and Mira Mezini, "Call graph construction for Java libraries," FSE 2016: Proceedings of the 2016 24th ACM SIGSOFT International Symposium on Foundations of Software Engineering, pp.474--486, 2016.
[12]
Renaud Pawlak, Martin Monperrus, Nicolas Petitprez, Carlos Noguera, and Lionel Seinturier. "Spoon: A Library for Implementing Analyses and Transformations of Java Source Code". Software: Practice and Experience (Wiley-Blackwell), pp.1155--1179, 2015.
[13]
Raja Vallée-Rai, Phong Co, Etienne Gagnon, Laurie Hendren et al. "Soot: A java bytecode optimization framework.", In CASCON First Decade High Impact Papers, pp.214--224, 2010.
[14]
Emory NLP, Natural Language Processing for JVM languages (NLP4J), "https://emorynlp.github.io/nlp4j/," last accessed Aug 2020.
[15]
Apache, OpenNLP, "https://opennlp.apache.org/," last accessed Aug 2020.
[16]
Peng Qi, Timothy Dozat, Yuhao Zhang and Christopher D. Manning, "Universal Dependency Parsing from Scratch," CoNLL 2018 Shared Task: Multilingual Parsing from Raw Text to Universal Dependencies, pp.160--170, 2018.
[17]
Yuyu He et al, "TextExerciser: Feedback-driven Text Input Exercising for Android Applications," 2020 IEEE Symposium on Security and Privacy, pp.1071--1087, 2020.
[18]
Ajit Kumara, K.S.Kuppusamy, and G.Aghilab, "FAMOUS: Forensic Analysis of MObile devices Using Scoring of application permissions," Future Generation Computer Systems, vol.83, pp. 158--172, 2018.
Index Terms
- Semantic-aware Comment Analysis Approach for API Permission Mapping on Android
Recommendations
Precise Android API Protection Mapping Derivation and Reasoning
CCS '18: Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications SecurityThe Android research community has long focused on building an Android API permission specification, which can be leveraged by app developers to determine the optimum set of permissions necessary for a correct and safe execution of their app. However, ...
Permission evolution in the Android ecosystem
ACSAC '12: Proceedings of the 28th Annual Computer Security Applications ConferenceAndroid uses a system of permissions to control how apps access sensitive devices and data stores. Unfortunately, we have little understanding of the evolution of Android permissions since their inception (2008). Is the permission model allowing the ...
Vetting undesirable behaviors in android apps with permission use analysis
CCS '13: Proceedings of the 2013 ACM SIGSAC conference on Computer & communications securityAndroid platform adopts permissions to protect sensitive resources from untrusted apps. However, after permissions are granted by users at install time, apps could use these permissions (sensitive resources) with no further restrictions. Thus, recent ...
Comments
Information & Contributors
Information
Published In
December 2020
217 pages
ISBN:9781450377607
DOI:10.1145/3443279
Copyright © 2020 ACM.
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]
In-Cooperation
- FernUniversität in Hagen
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
Published: 01 February 2021
Check for updates
Author Tags
Qualifiers
- Research-article
- Research
- Refereed limited
Conference
NLPIR 2020
NLPIR 2020: 4th International Conference on Natural Language Processing and Information Retrieval
December 18 - 20, 2020
Seoul, Republic of Korea
Contributors
Other Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
- 0Total Citations
- 94Total Downloads
- Downloads (Last 12 months)14
- Downloads (Last 6 weeks)0
Reflects downloads up to 25 Dec 2024
Other Metrics
Citations
View Options
Login options
Check if you have access through your login credentials or your institution to get full access on this article.
Sign in