@proceedings {1921, title = {Who Added that Permission to My App? An Analysis of Developer Permission Changes in Open Source Android Apps}, year = {2017}, note = {"Our first step was to collect open source Android repositories from F-Droid ... We collected the git repositories for each app, ... we recorded all permissions, including those which were custom. At the time of our analysis, F-Droid contained information for 2,372 open source Android apps. ... This process identified 1,402 apps that had a AndroidManifest.xml file with a history of commits... we created a tool known as Open Source Android Repository Analyzer (oSARA)...we extracted version control commit information ... extracts all committed AndroidManifest.xml files from the version control history ...the committed version of the AndroidManifest.xml file was also extracted from the repositories, and all metadata was stored in a SQLite database"}, month = {05/2017}, pages = {165-169}, abstract = {Android applications rely on a permission-based model to carry out core functionality. Appropriate permission usage is imperative for ensuring device security and protecting the user{\textquoteright}s desired privacy levels. But who is making the important decisions of which permissions the app should request? Are they experienced developers with the appropriate project knowledge to make such important decisions, or are these crucial choices being made by those with relatively minor amounts of contributions to the project? When are these permission-related decisions being made in the app{\textquoteright}s development life cycle? We examined 1,402 Android version control repositories containing over 331,318 commits including 18,751 AndroidManifest.xml versions to better understand when, why, and who is adding permissions to apps. We found that (I) developers with more experience are more likely to make permission-based changes (II) permissions are typically added earlier in apps{\textquoteright} commit lifetime, but their removal is more sustained throughout the commit lifetime (III) developers reverting permission-based changes are typically more experienced than developers who initially made the change being reverted.}, keywords = {android, mobile}, author = {Krutz, Daniel E. and Nuthan Munaiah and Anthony Peruma and Mohamed Wiem Mkaouer} }