INSPIRED: Intention-based Privacy-preserving Permission Model

Mobile operating systems adopt permission systems to protect system integrity and user privacy. In this work, we propose INSPIRED, an intention-aware dynamic mediation system for mobile operating systems with privacy preserving capability. When a security or privacy sensitive behavior is triggered, INSPIRED automatically infers the underlying program intention by examining its runtime environment and justifies whether to grant the relevant permission by matching with user intention. We stress on runtime contextual-integrity by answering the following three questions: who initiated the behavior, when was the sensitive action triggered and under what kind of environment was it triggered? Specifically, observing that mobile applications intensively leverage user interface (UI) to reflect the underlying application functionality, we propose a machine learning based permission model using foreground information obtained from multiple sources. To precisely capture user intention, our permission model evolves over time and it can be user-customized by continuously learning from user decisions. Moreover, by keeping and processing all user’s behavioral data inside her own device (i.e., without sharing with a third-party cloud for learning), INSPIRED is also privacy-preserving. Our evaluation shows that our model achieves both high precision and recall (95%) based on 6,560 permission requests from both benign apps and malware. Further, it is capable of capturing users’ specific privacy preferences with an acceptable median fmeasure (84.7%) for 1,272 decisions from users. Finally, we show INSPIRED can be deployed on real Android devices to provide real-time protection with a low overhead.