Android and Facebook provide third-party applications with access to users' private data and the ability to perform potentially sensitive operations (e.g., post to a user's wall or place phone calls). As a security measure, these platforms restrict applications' privileges with permission systems: users must approve the permissions requested by applications before the applications can make privacy- or security-relevant API calls. However, recent studies have shown that users often do not understand permission requests and lack a notion of typicality of requests. As a first step towards simplifying permission systems, we cluster a corpus of 188,389 Android applications and 27,029 Facebook applications to find patterns in permission requests. Using a method for Boolean matrix factorization for finding overlapping clusters, we find that Facebook permission requests follow a clear structure that exhibits high stability when fitted with only five clusters, whereas Android applications demonstrate more complex permission requests. We also find that low-reputation applications often deviate from the permission request patterns that we identified for high-reputation applications suggesting that permission request patterns are indicative for user satisfaction or application quality.
- Pub Date:
- October 2012
- Computer Science - Cryptography and Security;
- Computer Science - Artificial Intelligence;
- Statistics - Machine Learning
- To be presented at the IEEE International Conference on Data Mining (ICDM) in Brussels, Belgium. This extended author version contains additional analysis of the dataset(price distribution, rating distribution), more details about model-order selection, and more experiments. Please download the dataset from http://www.mariofrank.net/andrApps/index.html