Enforcing Least Privilege with Android Permissions in Mobile App Development

Though there is evidence that presenting Android app permission information to the user in a clear, more contextdependent way can influence mobile phone users in choosing apps that request fewer permissions [4], ultimately users still tend to make poor privacy and security decisions, especially when warnings are unclear or inhibitive [1]. As a result, we believe that code developers should take some responsibility in safeguarding users’ privacy and preventing data leakage. One way to do this is by enforcing the concept of “least privilege” [5] in application development. Within this context, we are addressing the permission model in Android applications. Fewer permissions means a more effective permission system, so developers should apply this concept to the permission model. We propose PermitMe, which is a tool built as a plugin for the Eclipse IDE for static analysis on Android applications. It enforces “least privilege” by providing feedback to developers on missing or extraneous Android permissions.