Who Added that Permission to My App? An Analysis of Developer Permission Changes in Open Source Android Apps

TitleWho Added that Permission to My App? An Analysis of Developer Permission Changes in Open Source Android Apps
Publication TypeConference Proceedings
Year of Publication2017
AuthorsKrutz, Daniel E., Munaiah Nuthan, Peruma Anthony, and Mkaouer Mohamed Wiem
Secondary Title2017 IEEE/ACM 4th International Conference on Mobile Software Engineering and Systems (MOBILESoft)
Date Published05/2017
Keywordsandroid, mobile

Android applications rely on a permission-based
model to carry out core functionality. Appropriate permission
usage is imperative for ensuring device security and protecting
the user’s desired privacy levels. But who is making the important
decisions of which permissions the app should request? Are they
experienced developers with the appropriate project knowledge to
make such important decisions, or are these crucial choices being
made by those with relatively minor amounts of contributions to
the project? When are these permission-related decisions being
made in the app’s development life cycle? We examined 1,402
Android version control repositories containing over 331,318
commits including 18,751 AndroidManifest.xml versions to better
understand when, why, and who is adding permissions to apps.
We found that (I) developers with more experience are more
likely to make permission-based changes (II) permissions are
typically added earlier in apps’ commit lifetime, but their
removal is more sustained throughout the commit lifetime (III)
developers reverting permission-based changes are typically more
experienced than developers who initially made the change being


"Our first step was to collect open source Android repositories
from F-Droid ... We collected the git repositories for each
app, ... we recorded
all permissions, including those which were custom.
At the time of our analysis, F-Droid contained information
for 2,372 open source Android apps. ... This process
identified 1,402 apps that had a AndroidManifest.xml file
with a history of commits... we created a tool
known as Open Source Android Repository Analyzer (oSARA)...we extracted version control
commit information ... extracts all committed AndroidManifest.xml
files from the version control history ...the committed
version of the AndroidManifest.xml file was also extracted
from the repositories, and all metadata was stored in a SQLite