Runtime Permission Issues in Android Apps: Taxonomy, Practices, and Ways Forward

Android introduces a new permission model that allows apps to request permissions at runtime rather than the installation time since 6.0 (Marshmallow, API level 23). While this provides users with greater flexibility in controlling an app's access sensitive data and system features, it brings challenges app development. First, as may grant or revoke any while they are using app, developers need ensure properly checks requests required before invoking permission-protected APIs. Second, Android's mechanism keeps evolving getting customized by device manufacturers. Developers expected comprehensively test their on different versions models make sure requested all situations. Unfortunately, these requirements often impractical for developers. In practice, many suffer from various issues (ARP issues). existing studies have explored ARP issues, understanding of such is still preliminary. To better characterize we performed empirical study 135 Stack Overflow posts discuss 199 real archived popular open-source projects GitHub. Via analyzing data, observed 11 types commonly occur apps. For each type systematically studied: (1) how can be manifested, (2) pervasive serious real-world apps, (3) fixed. We also analyzed evolution trend 2015 2020 understand impact ecosystem. Furthermore, conducted field survey in-depth interviews among practitioners community industry, gain insights practitioners’ practices learn tools help combat issues. Finally, strengths weaknesses detect built ARPBench , open benchmark consisting 94 evaluated performance three available tools. The experimental results indicate very limited supports detecting our issue report large number false alarms. further tools’ limitations summarized designing effective detection technique. hope findings shed light future research provide useful guidance practitioners.