revDroid: Code Analysis of the Side Effects after Dynamic Permission Revocation of Android Apps

Abstract

Dynamic revocation of permissions of installed Android applications has been gaining popularity, because of the increasing concern of security and privacy in the Android platform. However, applications often crash or misbehave when their permissions are revoked, rendering applications completely unusable. Even though Google has officially introduced the new permission mechanism in Android 6.0 to explicitly support dynamic permission revocation, the issue still exists. In this paper, we conduct an empirical study to understand the latest application practice post Android 6.0. Specifically, we design a practical tool, referred to as revDroid, to help us to empirically analyze how often the undesirable side effects, especially application crash, can occur in off-the-shelf Android applications. From the analysis of 248 popular applications from Google Play Store, revDroid finds out that 70% applications and 46% permission-relevant calls do not appropriately catch exceptions caused by permission revocation, while third-party libraries pay much more attention to permission revocation. We also use revDroid to analyze 132 recent malware samples. The result shows that only 27% malwares and 36% permission-relevant API calls of malwares fail to consider the permission revocation. In fact, many of them perform specialized handling of permission revocation to keep the core malicious logic running. Finally, revDroid can be used to help developers uncover the unhandled permission revocations during development time and greatly improve the application quality.