Permission evolution in the Android ecosystem

Xuetao Wei, Lorenzo Gomez, Iulian Neamtiu, Michalis Faloutsos

Research output: Chapter in Book/Report/Conference proceedingConference contribution

130 Scopus citations


Android uses a system of permissions to control how apps access sensitive devices and data stores. Unfortunately, we have little understanding of the evolution of Android permissions since their inception (2008). Is the permission model allowing the Android platform and apps to become more secure? In this paper, we present arguably the first longterm study that is centered around both permission evolution and usage, of the entire Android ecosystem (platform, third-party apps, and pre-installed apps). First, we study the Android platform to see how the set of permissions has evolved; we find that this set tends to grow, and the growth is not aimed towards providing finer-grained permissions but rather towards offering access to new hardware features; a particular concern is that the set of Dangerous permissions is increasing. Second, we study Android third-party and pre-installed apps to examine whether they follow the principle of least privilege. We find that this is not the case, as an increasing percentage of the popular apps we study are overprivileged. In addition, the apps tend to use more permissions over time. Third, we highlight some concerns with pre-installed apps, e.g., apps that vendors distribute with the phone; these apps have access to, and use, a larger set of higher-privileged permissions which pose security and privacy risks. At the risk of oversimplification, we state that the Android ecosystem is not becoming more secure from the user's point of view. Our study derives four recommendations for improving the Android security and suggests the need to revisit the practices and policies of the ecosystem.

Original languageEnglish (US)
Title of host publicationProceedings - 28th Annual Computer Security Applications Conference, ACSAC 2012
Number of pages10
StatePublished - 2012
Externally publishedYes
Event28th Annual Computer Security Applications Conference, ACSAC 2012 - Orlando, FL, United States
Duration: Dec 3 2012Dec 7 2012

Publication series

NameACM International Conference Proceeding Series


Other28th Annual Computer Security Applications Conference, ACSAC 2012
Country/TerritoryUnited States
CityOrlando, FL

All Science Journal Classification (ASJC) codes

  • Software
  • Human-Computer Interaction
  • Computer Vision and Pattern Recognition
  • Computer Networks and Communications


Dive into the research topics of 'Permission evolution in the Android ecosystem'. Together they form a unique fingerprint.

Cite this