MSR 2020
Mon 29 - Tue 30 June 2020
co-located with ICSE 2020
Tue 30 Jun 2020 11:12 - 11:24 at MSR:Zoom2 - Security Chair(s): Dimitris Mitropoulos

Developers continuously update their Android apps to keep up with competitors in the market. Such constant updates do not bother end users, since by default the Android platform automatically pushes the most recent compatible release on the device, unless there are major changes in the list of requested permissions that users have to explicitly grant. The lack of explicit user’s approval for each application update, however, may lead to significant risks for the end user, as the new release may include new subtle behaviors which may be privacy-invasive. The introduction of permission groups in the Android permission model makes this problem even worse: if a user gives a single permission within a group, the application can silently request further permissions in this group with each update—without having to ask the user.

In this paper, we explain the threat that permission groups may pose for the privacy of Android users. We run an empirical study on 2,865,553 app releases, and we show that in a representative app store more than ∼17% of apps request new dangerous permissions that the operating system grants without any user’s approval. Our analyses show that apps actually use over 56% of such automatically granted permissions, although most of their descriptions do not explicitly explain for what purposes. Finally, our manual inspection reveals clear abuses of apps that leak sensitive data such as user’s accurate location, list of contacts, history of phone calls, and emails which are protected by permissions that the user never explicitly acknowledges.

Tue 30 Jun

Displayed time zone: (UTC) Coordinated Universal Time change

11:00 - 12:00
SecurityData Showcase / Technical Papers at MSR:Zoom2
Chair(s): Dimitris Mitropoulos Athens University of Economics and Business

Q/A & Discussion of Session Papers over Zoom (Joining info available on Slack)

11:00
12m
Live Q&A
Did You Remember To Test Your Tokens?MSR - Technical Paper
Technical Papers
Danielle Gonzalez Rochester Institute of Technology, USA, Michael Rath Technische Universität Ilmenau, Mehdi Mirakhorli Rochester Institute of Technology
DOI Pre-print Media Attached
11:12
12m
Live Q&A
Automatically Granted Permissions in Android appsMSR - Technical Paper
Technical Papers
Paolo Calciati IMDEA Software Institute, Konstantin Kuznetsov Saarland University, CISPA, Alessandra Gorla IMDEA Software Institute, Andreas Zeller CISPA Helmholtz Center for Information Security
Media Attached
11:24
12m
Live Q&A
PUMiner: Mining Security Posts from Developer Question and Answer Websites with PU LearningMSR - Technical Paper
Technical Papers
Triet Le Huynh Minh The University of Adelaide, David Hin , Roland Croft , Muhammad Ali Babar The University of Adelaide
DOI Pre-print Media Attached
11:36
12m
Live Q&A
A C/C++ Code Vulnerability Dataset with Code Changes and CVE SummariesMSR - Data Showcase
Data Showcase
A: Jiahao Fan New Jersey Institute of Technology, USA, A: Yi Li New Jersey Institute of Technology, USA, A: Shaohua Wang New Jersey Institute of Technology, USA, A: Tien N. Nguyen University of Texas at Dallas
Media Attached
11:48
12m
Live Q&A
The Impact of a Major Security Event on an Open Source Project: The Case of OpenSSLMSR - Technical Paper
Technical Papers
James Walden Northern Kentucky University
Pre-print Media Attached