Electrical Engineering
      and Computer Sciences

Electrical Engineering and Computer Sciences

COLLEGE OF ENGINEERING

UC Berkeley

The Effectiveness of Install-Time Permission Systems for Third-Party Applications

Adrienne Porter Felt, Kate Greenwood and David Wagner

EECS Department
University of California, Berkeley
Technical Report No. UCB/EECS-2010-143
December 3, 2010

http://www.eecs.berkeley.edu/Pubs/TechRpts/2010/EECS-2010-143.pdf

In many modern development platforms, application permissions control third-party access to sensitive parts of the API (e.g., the camera or microphone). We study install-time permissions, which the user grants to applications during installation; different applications can receive different install-time permissions. Install-time permissions offer several advantages over traditional user-based permissions, which assign the user's full privileges to all applications. However, these benefits rely on the assumption that applications generally require less than full privileges. We explore whether that assumption is realistic, which provides insight into the value of install-time permission. We perform case studies on two systems with install-time permissions for third-party applications, the Google Chrome extension platform and the Android OS. We collect the permission requirements of a large set of Google Chrome extensions and Android applications. From this data, we evaluate whether install-time permissions are effective at protecting users. Our results indicate that install-time application permissions have a strong positive impact on system security, but a number of changes could further improve their utility.


BibTeX citation:

@techreport{Felt:EECS-2010-143,
    Author = {Felt, Adrienne Porter and Greenwood, Kate and Wagner, David},
    Title = {The Effectiveness of Install-Time Permission Systems for Third-Party Applications},
    Institution = {EECS Department, University of California, Berkeley},
    Year = {2010},
    Month = {Dec},
    URL = {http://www.eecs.berkeley.edu/Pubs/TechRpts/2010/EECS-2010-143.html},
    Number = {UCB/EECS-2010-143},
    Abstract = {In many modern development platforms, application permissions control third-party access to sensitive parts of the API (e.g., the camera or microphone). We study install-time permissions, which the user grants to applications during installation; different applications can receive different install-time permissions. Install-time permissions offer several advantages over traditional user-based permissions, which assign the user's full privileges to all applications. However, these benefits rely on the assumption that applications generally require less than full privileges. We explore whether that assumption is realistic, which provides insight into the value of install-time permission.

We perform case studies on two systems with install-time permissions for third-party applications, the Google Chrome extension platform and the Android OS. We collect the permission requirements of a large set of Google Chrome extensions and Android applications. From this data, we evaluate whether install-time permissions are effective at protecting users. Our results indicate that install-time application permissions have a strong positive impact on system security, but a number of changes could further improve their utility.}
}

EndNote citation:

%0 Report
%A Felt, Adrienne Porter
%A Greenwood, Kate
%A Wagner, David
%T The Effectiveness of Install-Time Permission Systems for Third-Party Applications
%I EECS Department, University of California, Berkeley
%D 2010
%8 December 3
%@ UCB/EECS-2010-143
%U http://www.eecs.berkeley.edu/Pubs/TechRpts/2010/EECS-2010-143.html
%F Felt:EECS-2010-143