In our presentation at Navaja Negra 2024 we explain the difference between permissions and groups in the Android security model, present the metrics we use in our APKFalcon app and how we leverage information about permissions, groups and malware use of permissions to build metrics. We also show the repository where we store the data we use to make these calculations and how others can use it.
We also answered very interesting questions that focused on several aspects such as:
–Include the measurement of the use made of permissions, taking into account that some apps make more intensive use than others.
–Weigh permissions based on their impact on the functionality of the application. Because what functionality is lost when a permission is denied?
We understand that if the functionality is essential, it may not be a good idea. For example, removing camera and microphone permissions from a video conferencing app would cause it to lose almost all of its functionality.
–What can be improved, the use of permissions by developers, or the Android security model?
We believe that it is possible to work on both aspects, but this is a topic that we will expand on in future posts.
Thanks to the feedback received, we concluded that any of these improvements in our indicators require new information to be included in the repository, which we are still working on.
If you are interested in using it, you can find information here https://apkfalcon.infor.uva.es:8080/docs or https://apkfalcon.infor.uva.es/ or if you want to suggest any additional information that you would like to find but is not there now, please write us to any of these emails: gi.ingpriv@uva.es apppi@infor.uva.es
The App-PI Project we are developing is an initiative carried out under a collaboration agreement between the University of Valladolid and the S.M.E. National Cybersecurity Institute of Spain M.P., S.A. for the promotion of strategic cybersecurity projects in Spain, within the framework of the funds of the Recovery, Transformation and Resilience Plan, financed by the European Union (Next Generation).
