Security-centric ranking algorithm and two privacy scores to mitigate intrusive apps

Abstract

Smartphone users are constantly facing the risks of losing their private information to third-party mobile applications. Studies have revealed that the vast majority of users either do not pay attention to privacy or unable to comprehend privacy messages. Developers though have exploited this fact by asking users to grant their apps an enormous number of permissions. In this article, we propose and evaluate a new security-centric ranking algorithm built on top of the Elasticsearch engine to help users evade such apps. The algorithm calculates an intrusiveness score for an app based on its requested permissions, received system actions, and users' privacy preferences. As such, we further propose a new approach to capture these preferences. We evaluate the ranking algorithm using a million Android applications, contextual data and APK files, that we collect from the Google Play store. The results show that the scoring and reranking steps add minor overhead. Moreover, participants of the user studies gave positive feedback for the ranking algorithm and the privacy preferences solicitation approach. These results suggest that our proposed system would definitely protect the privacy of mobile users and pushes developers into requesting least amount of privileges. Still, there are many risks that endanger the users' privacy.