Is this app safe?

Third-party applications (apps) drive the attractiveness of web and mobile application platforms. Many of these platforms adopt a decentralized control strategy, relying on explicit user consent for granting permissions that the apps request. Users have to rely primarily on community ratings as the signals to identify the potentially harmful and inappropriate apps even though community ratings typically reflect opinions about perceived functionality or performance rather than about risks. With the arrival of HTML5 web apps, such user-consent permission systems will become more widespread. We study the effectiveness of user-consent permission systems through a large scale data collection of Facebook apps, Chrome extensions and Android apps. Our analysis confirms that the current forms of community ratings used in app markets today are not reliable indicators of privacy risks of an app. We find some evidence indicating attempts to mislead or entice users into granting permissions: free applications and applications with mature content request more permissions than is typical; ‘look-alike’ applications which have names similar to popular applications also request more permissions than is typical. We also find that across all three platforms popular applications request more permissions than average.

Results

Paper

• Pern Hui Chia, Yusuke Yamamoto, N. Asokan. Is this app safe? A large scale study on application permissions and risk signals. WWW ’12 Proceedings of the 21st International Conference on World Wide Web, April 2012

Data sets

• Android apps (pop, new, mr)
• facebook apps
• chrome extensions

Presentation

• Is this App safe?, April 2012.