O slideshow foi denunciado.
Utilizamos seu perfil e dados de atividades no LinkedIn para personalizar e exibir anúncios mais relevantes. Altere suas preferências de anúncios quando desejar.

Permission Issues in Open-Source Android Apps: An Exploratory Study

130 visualizações

Publicada em

Presented at: 19th IEEE International Working Conference on Source Code Analysis and Manipulation

Date of Conference: 30 Sept.-1 Oct. 2019
Conference Location: Cleveland, OH, USA
DOI: https://doi.org/10.1109/SCAM.2019.00034

Publicada em: Software
  • Seja o primeiro a comentar

  • Seja a primeira pessoa a gostar disto

Permission Issues in Open-Source Android Apps: An Exploratory Study

  1. 1. Permission Issues in Open-Source Android Apps: An Exploratory Study Gian Luca Scoccia, Anthony Peruma, Virginia Pujols, Ivano Malavolta, Daniel E. Krutz 19th IEEE International Working Conference on Source Code Analysis and Manipulation September 30-October 01, 2019
  2. 2. Research Goal & Contributions Replication package availability Provide a better understanding of permission-related issues (PRIs) introduced and fixed by developers in Android apps Frequency of PRIs in a project and their decay time Type of developers introducing and fixing PRIs 2
  3. 3. Research Questions 1. What are the most common types of permission-related issues in Android apps? ○ Help developers understand the most prevalent PRIs in their apps and better plan implementation and maintenance tasks 2. How long do permission-related issues tend to remain in Android apps across their lifetime? ○ Help developers better prioritize the addressing of PRIs 3. How does developers’ status within the project correlate with the introduction of permission-related issues? ○ Provides insight on who should be making permission-based decisions for an app 3
  4. 4. Permission-Related Issues (PRIs) Prior published tools O Over-permission: too many permissions (violates the least privilege principle). M-Perm U Under-permission: not enough requested permissions. M-Perm MC Missing Check: checkSelfPermission() is not called when requesting a permission. P-Lint MRP Multiple Requests in Proximity: Multiple permission requested in close proximity, possibly overwhelming the user. P-Lint 4
  5. 5. Dataset Construction F-Droid GitHub Repositories (2,002) Filtering (923) Filtering (574) Google Play Java and AndroidManifest MPerm & PLint PRIs Note: Filtering includes: duplicate/forked repositories, # of commits, weeks of activity and availability on Google Play Store 5
  6. 6. Common Types of PRIs in Android Apps Findings: ● Permission-related issues are a frequent phenomenon in Android apps ● Over and under-permissions are the two most common issues Action Item: Developers should integrate permission analysis tools (e.g., MPerm, PLint) into their development workflow ● Observed a dependence between PRIs - existence of one type of PRI indicates that other types are also present in the code 6
  7. 7. Decay Time of PRIs in Android Apps Action Item: Developers should pay increased attention to code that has been written during early project life Findings: ● Majority of PRIs are fixed in a timespan of a few days after their introduction ● PRI’s can remain in apps for extended periods of time - even years! ● MC issues are harder to introduce but also harder to fix once introduced - due to non trivial code changes 7
  8. 8. Developers Responsibility Related to PRIs Action Item: Developers should be cognizant of PRIs when implementing apps Findings: ● PRI’s are introduced and fixed by regular contributors and newcomers ● Regular contributors are responsible for the majority of introductions and fixes ● Low association between developers’ status and PRI types introduced/fixed Developers’ status when introducing PRIs Developers’ status when fixing PRIs 8
  9. 9. Summary ● Investigated permission related issues on 574 open-source Android apps ● Permission issues are frequent in Android apps ● Most issues are fixed in a few days, but can also linger for extended periods of time ● Regular project contributors are responsible for introducing and fixing permission issues ● Replication package is publically available 9
  10. 10. Thanks! 10