Table 1: Number of different UI events (UIE), identified
context (CTX) and resource access (contextualized/total).
Package (version) UIE CTX Cam Loc Mic Sto
Amazon (24.6.0.100) 59 20 3/3 20/59
Ebay (6.48.0.1) 15 8 3/5 6/13 3/3
Facebook-katana (353.0.0.0.4) 36 27 2/2 19/25 15/17
Google Earth (9.151.0.2) 39 21 5/6 3/4
Instagram (223.0.0.0.18) 14 11 11/13 2/2
Shazam (12.6.0) 98 29 6/6 1/1
Spotify (2.0.45) 61 21 4/4
Sticker Maker (0.0.2-82) 14 5 1/10 4/4
Translate (6.14.0.05.35) 44 22 9/22 4/4 12/20
VideoLan (3.4.3) 27 12 2/2
be explicitly authorized by the user. However, once
a permission is granted the mobile application is al-
lowed to access the related resource until the grant is
explicitly removed or the app is uninstalled. Thus,
there is the possibility that an app uses resources like
the camera or the GPS within several different fea-
tures, making difficult for the user to discriminate
among the feature that are allowed to access the per-
mission and those that should be blocked.
To assess the effectiveness of the tool to automat-
ically discriminate between different kind of accesses
to the same sensitive resource, we conducted a pre-
liminary study on 10 popular app. The apps have
bee automatically run by using the Monkey, a pro-
gram that generates pseudo-random streams of user
events such as clicks, touches, or gestures, as well as a
number of system-level events (Google, 2022b). The
results confirm that, in many cases, when the app ac-
cesses to a sensitive resource, this is done in more then
one context. Even if the most recent versions of An-
droid improved the awareness enforcing the privacy
protection mechanism by means of special led indi-
cators, nothing prevents the app from exploiting the
acquired permission.
As future work, we plan to conduct a large scale
analysis of the apps published in the Play Store
TM
to
investigate how much widespread the problem is.
REFERENCES
Autili, M., Malavolta, I., Perucci, A., Scoccia, G. L.,
and Verdecchia, R. (2021). Software engineering
techniques for statically analyzing mobile apps: re-
search trends, characteristics, and potential for indus-
trial adoption. Journal of Internet Services and Appli-
cations, 12(1):1–60.
Ball, T. (1999). The concept of dynamic analysis. In Soft-
ware Engineering—ESEC/FSE’99, pages 216–234.
Springer.
Chester, P., Jones, C., Mkaouer, M. W., and Krutz, D. E.
(2017). M-perm: A lightweight detector for android
permission gaps. In 2017 IEEE/ACM 4th Interna-
tional Conference on Mobile Software Engineering
and Systems (MOBILESoft), pages 217–218. IEEE.
Gomes, I., Morgado, P., Gomes, T., and Moreira, R. (2009).
An overview on the static code analysis approach in
software development. Faculdade de Engenharia da
Universidade do Porto, Portugal.
Google (2022a). Android developers guide: Overview of
memory management. https://developer.android.com/
topic/performance/memory-overview.
Google (2022b). Android studio guide: Ui/application ex-
erciser monkey. https://developer.android.com/studio/
test/monkey.
Hasan, H., Ladani, B. T., and Zamani, B. (2020). Enhancing
Monkey to trigger malicious payloads in Android mal-
ware. In 2020 17th International ISC Conference on
Information Security and Cryptology (ISCISC), pages
65–72.
Heid, K. and Heider, J. (2021). Automated, dynamic an-
droid app vulnerability and privacy leak analysis: De-
sign considerations, required components and avail-
able tools. In European Interdisciplinary Cyberse-
curity Conference, EICC, page 1–6, New York, NY,
USA. Association for Computing Machinery.
Lee, B., Lu, L., Wang, T., Kim, T., and Lee, W. (2014).
From Zygote to Morula: Fortifying Weakened ASLR
on Android. In 2014 IEEE Symposium on Security
and Privacy, pages 424–439.
Li, R., Diao, W., Li, Z., Du, J., and Guo, S. (2021). Android
custom permissions demystified: From privilege esca-
lation to design shortcomings. In 2021 IEEE Sympo-
sium on Security and Privacy (SP), pages 70–86.
Liu, X., Liu, J., Zhu, S., Wang, W., and Zhang, X. (2019).
Privacy risk analysis and mitigation of analytics li-
braries in the Android ecosystem. IEEE Transactions
on Mobile Computing, 19(5):1184–1199.
Osman, T., Mannan, M., Hengartner, U., and Youssef, A.
(2020). Securing applications against side-channel at-
tacks through resource access veto. Digital Threats:
Research and Practice, 1(4):1–29.
Scoccia, G. L., Malavolta, I., Autili, M., Di Salle, A.,
and Inverardi, P. (2021). Enhancing trustability of
android applications via user-centric flexible permis-
sions. IEEE Transactions on Software Engineering,
47(10):2032–2051.
Verderame, L., Caputo, D., Romdhana, A., and Merlo, A.
(2020). On the (un) reliability of privacy policies in
android apps. In 2020 International Joint Conference
on Neural Networks (IJCNN), pages 1–9. IEEE.
Wang, Y., Wang, Y., Wang, S., Liu, Y., Xu, C., Cheung,
S.-C., Yu, H., and Zhu, Z. (2021). Runtime permis-
sion issues in android apps: Taxonomy, practices, and
ways forward. arXiv preprint arXiv:2106.13012.
Wijesekera, P., Baokar, A., Hosseini, A., Egelman, S., Wag-
ner, D., and Beznosov, K. (2015). Android permis-
sions remystified: A field study on contextual in-
tegrity. In Proceedings of the 24th USENIX Confer-
ence on Security Symposium, SEC’15, page 499–514,
USA. USENIX Association.
Wijesekera, P., Baokar, A., Tsai, L., Reardon, J., Egelman,
S., Wagner, D., and Beznosov, K. (2018). Dynami-
cally regulating mobile application permissions. IEEE
Security & Privacy, 16(1):64–71.
RPCDroid: Runtime Identification of Permission Usage Contexts in Android Applications
721