Smartphone users are unable to preemptively identify potential mobile application malware. We developed Securacy, a mobile application that: crowdsources users’ concerns of application’s security and privacy (i.e., securacy); informs the users of potential risks; reveals hidden application network connections to servers; and pinpoints the applications’ servers location. We propose an alternative for handling permissions and abstract them as user’s securacy concerns, regardless of what application the user installs – as opposed to request permissions’ review every time an application is installed. Our tool enables collaborative detection of mobile application malware.
Users’ securacy concerns
We have abstracted the majority of Android’s permissions to 9 simple user securacy concerns:
- My profile: access to users’ profile (e.g., name, social stream and subscribed feeds);
- Location: access to users’ GPS- or network-based location;
- Contacts: access to users’ contact list data;
- Documents: access to users’ documents (e.g., pictures, music, storage, dictionary, logs);
- Calendar: access to users’ calendar events information;
- Messages and calls: access to users’ messages and calls information and history;
- Accounts: access to users’ device accounts (e.g., Google, Facebook, Twitter);
- Browser: access to users’ browsing history and bookmarks;
- Network and Internet: access to Internet, network information (e.g., Wi-Fi, Bluetooth).
Streamlined user experience
We carefully crafted our application to streamline users’ experience when dealing with misbehaving applications and being notified of application’s permission usage. Upon installing or updating an application, if any of the users’ securacy concerns is in jeopardy, a notification appears on the display (bottom left). The user can explore concretely what was broken and what is the application’s current securacy rating according to our community (bottom right).