Analysis and Transformations in Support of Android Privacy

To protect user's privacy and system's integrity, mobile platforms use permission models to control accesses to protected resources such as GPS location, Contacts, etc. The previous major version of Android used a static permission model, which compromised the security and privacy of apps. Android 6 overhauled its permission model to ask permissions at runtime which reduces the risk of permission abuse. However, migrating to the runtime permission model requires significant effort from the app developers. In our research we conducted a large-scale formative study to understand how app developers use and migrate to the new permission model. Inspired by these findings, we designed, implemented, and evaluated a tool suite that (i) recommends locations where to insert permission requests and (ii) automatically inserts all the permission-related code. Our empirical evaluations on a diverse corpus of real-world apps show that our tools are highly applicable and accurate.

This page contains the supporting artifacts for our research paper (which is currently under review at a major conference). Meanwhile you can read our Tech Report.

Google I/O 2016

An earlier version of our DP-TRANSFORM was demo-ed at the Google I/O'16 developer conference.
DroidPerm Demo @ Google I/O 2016 (Youtube)

DroidPerm in Action

Empirical Evaluation

To evaluate DP-TRANSFORM we used a diverse corpus of 71 randomly selected open-source apps from GitHub, comprising 920K lines of code. Developers already migrated these apps to Android 6. We rolled back the permission-related code and then used DP-TRANSFORM to reintroduce permissions in the same locations. Then we compare the developers' changes with those carried out by DP-TRANSFORM.


Denis Bogdanas
Nicholas Nelson
Jacob Lewis
George Harder
Danny Dig


If you found the DroidPerm toolset useful, we would love to hear from you. Please send constructive feedback to Denis