Analysis of Most Unexpected Permissions for Android Apps

Our team has been analyzing Android apps for unusual behaviors, using crowdsourcing techniques to find differences between what people expect an app to do and what an app does in reality.

Here are the top 10 most unexpected permissions, based on our crowdsourcing approach to analyze the behavior of Android apps. Each circle represents the level of surprise people had for each permission (N=20). For example, a vast majority of people (95%) were surprised that Brightest Flashlight used location data, but no one (0%) was surprised that Google Maps did so. Here, we can use level of surprise as one form of privacy. If people aren't surprised, then from our perspective it's less of a privacy issue, since people have some level of informed consent. On the other hand, if lots of people are surprised, then we have a potential privacy issue at hand.

Click to zoom

Here is the top 10 list in text form, with links to more analysis where available.
  1. Brightest Flashlight
  2. Toss It
  3. Angry Birds
  4. Talking Tom Free
  5. Backgrounds HD Wallpapers
  6. Dictionary.com
  7. Mouse Trap
  8. Horoscope
  9. Shazam
  10. Pandora


Note that some of these uses, while rated unusual, were actually perceived as legitimate once it was explained how the data was used. For example, the Dictionary.com app uses location for finding words that others near you are searching for, rather than for ads or other purposes. In our work, we also found that people were generally ok with this usage once it was made clear to them.

In the short-term, the main thrust of our research is to help people understand these kinds of unusual behaviors of apps, as well as increase transparency. It's worth pointing out too that a lot of this information seems to be used for advertising rather than malicious purposes (though it obviously depends on your definition of malicious). In the long-term, we need better policies and best practices around this kind of data collection, as well as better ways of helping developers create sustainable business models that also respect privacy.

Note that this list is based on the top 100 most popular Android apps around December 2011, so some things may have changed since then.


 -------------------


Below is an analysis of the Top 10 Most Downloaded Android apps, showing the level of surprises. For example, for Angry Birds, we found that 80% of people (N=20) were surprised that it used location at all, whereas for Google Maps, 0% of people were surprised.

Click to Zoom
Here is the same list in text format, with links to more analysis for apps that we have probed in more depth.
  1. Facebook
  2. Google Maps
  3. Angry Birds
  4. Pandora
  5. KakaoTalk Messenger
  6. Bubble Blast
  7. Paradise Island
  8. Handcent SMS
  9. Adobe Flash Player
  10. Tap Fish
You can also read more about our research here (PDF). This work was done by Jialiu Lin, Shah Amini, myself (Jason Hong), and Norman Sadeh. This work is also funded in part by the National Science Foundation, Google, and the Army Research Office.

Comments

Popular posts from this blog

How to Fix a Jammed Toyota Camry Trunk

This problem needs a higher pagerank, so I figured I would post the solution here. If your Toyota Camry trunk won't open, one possible reason is that it is set to valet mode. Valet mode means that you cannot open the trunk using the release lever inside the car. To set valet mode, you put the key into the trunk lock and turn it counterclockwise. You will know that your trunk is in valet mode if the lock is horizontal rather than vertical, and if you cannot open the trunk using the lever near the driver's seat. Of course, a problem is that sometimes the Camry can get stuck in valet mode, such that you can't use your key to get out of it. (You can see how I spent part of my Sunday morning ...) The solution turns out to be WD-40 . Spray some WD-40 on your key and on the lock. Put the key in, and jiggle it around, and happiness ensues. From an interaction design perspective, it sort of makes sense to have a valet mode. After all, the point of having a valet key is to limit the...

Web 2.0 and Research

I've been chatting with many of my friends and colleagues about an issue that's been bugging me for a while, namely whether academic research has any role to play in the emerging Web 2.0 . I've been slowly coming to the conclusion that the answer is not much. I had a similar discussion with other researchers at HotMobile a few weeks ago. When the web first came out, pretty much every systems researcher ignored it because it was so ugly. The web was not very sophisticated in terms of distributed systems, HTTP lacked elegance, HTML conflated many different ideas, and so on. There were also not any really new ideas with the web, as evidenced by the fact that Tim Berners-Lee 's first paper on the Web was (probably rightfully) rejected from an ACM conference on hypertext. I'm sure one thing that really irked researchers about the nascent web was that it completely ignored the large body of work in hypertext and distributed systems that had preceded it. Even in 1997, as ...

Chase Fraud Alert from SMS 28107

I got a fraud alert on my phone this morning from SMS short code 28107. Is this legitimate? The short story, from what I can tell, is yes. The alert I got was: FREE MSG: Chase Fraud-Did you use card ending xxxx for $xx.xx at INGLES MARKETS on 07/13? If YES reply 1, NO reply 2 In cybersecurity, getting these kinds of alerts is a pretty common kind of scam. Attackers will send out lots of these kinds of SMS and email and try to get you to verify your account, essentially tricking you into sharing sensitive information. If you ever get one of these kinds of alerts, you should try to verify it independently. So I logged into my credit card account and saw that there were several purchases that morning. Looking up the name of the store, it appears to be a chain of grocery stores in North Carolina. Ok so definitely fraud. So I responded with a "1" to the SMS message, and it said that Chase would call when a specialist is available, or call the number on the card. There...