Demystified
Android provides third-party applications with an extensive
API that includes access to phone hardware, settings, and
user data. Access to privacy- and security-relevant parts of
the API is controlled with an install-time application permission
system. We study Android applications to determine
whether Android developers follow least privilege with their
permission requests. We built Stowaway, a tool that detects
overprivilege in compiled Android applications. Stowaway
determines the set of API calls that an application uses and
then maps those API calls to permissions. We used automated
testing tools on the Android API in order to build
the permission map that is necessary for detecting overprivilege.
We apply Stowaway to a set of 940 applications and
find that about one-third are overprivileged. We investigate
the causes of overprivilege and find evidence that developers
are trying to follow least privilege but sometimes fail due to
insufficient API documentation.