Hidden Permissions on Android: A Permission-Based Android Mobile Privacy Risk Model

Research output: Contribution to conferencePaperpeer-review


The continuously increasing amount of data input on mobile devices has made collating and monitoring users’ data
not only uniquely personalised but easier than ever. Along with that, mobile security threats have overtaken with rising
numbers in bank fraud and personal information leaks. This suggests that there is a significant lack of awareness of security
issues among mobile users. Specifically, permission-based passive content leaks are getting more attention due to the
emerging issues in data privacy. One reason for this is that permissions are running in the background collecting and
transmitting data between applications within the same permission group, without the user's knowledge. This means, that
a supposedly innocent application like the Clock, which is linked with the Calendar to provide the date and time functionality,
can have access to any other application within the same Calendar permission group, which is compromising confidentiality.
Moreover, this can lead to a violation of data privacy as the user is not aware of which assets are being shared between
permissions. Developers of mobile platforms have implemented permission-based models to counteract these issues,
however, application designers have shown that they are not necessarily complying with the General Data Protection
Regulations (GDPR). For the mobile user, this means that app developers, app providers, and third parties who are included
in the applications, can gain access to sensitive data without user consent or awareness. To address this issue, this study
examines permissions that are inherent in the Android mobile infrastructure and exemplifies how they can reveal delicate
user information, identify user behaviour, and can be shared among other applications - without obviously breaching GDPR
guidelines. 10 first-party Android applications were statically analysed by their permissions and manually investigated for
their actual purpose and privacy risk. Finally, considering the affected area, these permissions were categorised into four
asset groups that form the base of a risk model. With risk levels from low to high, this model provides detection of risks on
data privacy in mobile permissions and highlights the difficulty with GDPR compliance, which we therefore named PRAM, a
permission-based Android Mobile Privacy Risk Assessment Model.
Original languageEnglish
Pages&17 - 724
Publication statusPublished - 2023
Event22nd European Conference on Cyber Warfare and Security,
- the University of Piraeus, Greece
Duration: 22 Jun 202323 Jun 2023


Conference22nd European Conference on Cyber Warfare and Security,
Abbreviated titleECCWS 2023
Internet address

Cite this