Mining Permission Request Patterns from Android and Facebook Applications (extended author version)
This addresses security and usability issues for users of Android and Facebook platforms by identifying patterns that could simplify permission systems, though it is incremental as it builds on existing clustering methods.
The study analyzed permission request patterns in 188,389 Android and 27,029 Facebook applications using Boolean matrix factorization, finding that Facebook requests are stable with five clusters while Android requests are more complex, and low-reputation apps often deviate from high-reputation patterns.
Android and Facebook provide third-party applications with access to users' private data and the ability to perform potentially sensitive operations (e.g., post to a user's wall or place phone calls). As a security measure, these platforms restrict applications' privileges with permission systems: users must approve the permissions requested by applications before the applications can make privacy- or security-relevant API calls. However, recent studies have shown that users often do not understand permission requests and lack a notion of typicality of requests. As a first step towards simplifying permission systems, we cluster a corpus of 188,389 Android applications and 27,029 Facebook applications to find patterns in permission requests. Using a method for Boolean matrix factorization for finding overlapping clusters, we find that Facebook permission requests follow a clear structure that exhibits high stability when fitted with only five clusters, whereas Android applications demonstrate more complex permission requests. We also find that low-reputation applications often deviate from the permission request patterns that we identified for high-reputation applications suggesting that permission request patterns are indicative for user satisfaction or application quality.