Hidden Permissions on Android: A Permission-Based Android Mobile Privacy Risk Model

Abstract

The continuously increasing amount of data input on mobile devices has made collating and monitoring users’ data not only uniquely personalised but easier than ever. Along with that, mobile security threats have overtaken with rising numbers in bank fraud and personal information leaks. This suggests that there is a significant lack of awareness of security issues among mobile users. Specifically, permission-based passive content leaks are getting more attention due to the emerging issues in data privacy. One reason for this is that permissions are running in the background collecting and transmitting data between applications within the same permission group, without the user's knowledge. This means, that a supposedly innocent application like the Clock, which is linked with the Calendar to provide the date and time functionality, can have access to any other application within the same Calendar permission group, which is compromising confidentiality. Moreover, this can lead to a violation of data privacy as the user is not aware of which assets are being shared between permissions. Developers of mobile platforms have implemented permission-based models to counteract these issues, however, application designers have shown that they are not necessarily complying with the General Data Protection Regulations (GDPR). For the mobile user, this means that app developers, app providers, and third parties who are included in the applications, can gain access to sensitive data without user consent or awareness. To address this issue, this study examines permissions that are inherent in the Android mobile infrastructure and exemplifies how they can reveal delicate user information, identify user behaviour, and can be shared among other applications - without obviously breaching GDPR guidelines. 10 first-party Android applications were statically analysed by their permissions and manually investigated for their actual purpose and privacy risk. Finally, considering the affected area, these permissions were categorised into four asset groups that form the base of a risk model. With risk levels from low to high, this model provides detection of risks on data privacy in mobile permissions and highlights the difficulty with GDPR compliance, which we therefore named PRAM, a permission-based Android Mobile Privacy Risk Assessment Model.