中文

Silent Consent, Persistent Risk: Android Permission Groups and Custom Permissions

密码学与安全 2026-05-28 v1

摘要

Android's permission system is designed to balance usability with informed consent, yet two legacy mechanisms still undermine that balance in Android 16: (i) permission groups that silently auto-grant new permissions within a group after a user's initial approval, and (ii) normal-level custom permissions that are auto-granted at install and enable cross-app access with no user visibility. We conduct a longitudinal analysis of 19.3 million APKs spanning 5.97 million unique apps (distinct package identifiers) from the AndroZoo repository, combined with on-device validation on Android 16. Among 2,244,575 multi-version apps, 381,026 (17%) silently gain permissions within already-granted groups. Using VirusTotal detections with primary threshold t=20, apps flagged as malware expand within groups at a higher rate than benign apps (odds ratio = 1.35, p < 0.001); the association holds across every tested threshold and concentrates in permission-heavy apps (OR = 2.06 in the top quartile). We also identify 307 cross-developer normal-custom-permission pairs that expose contacts, SMS, location, authentication credentials, user identity, and medical records to unrelated apps without any user prompt. A lightweight prototype built on public Android APIs recorded 23 silent expansion events across 13 apps during a 96-day single-device pilot, showing that update-time transparency is reachable without OS modification. Our results show that consent erosion persists despite a decade of platform hardening and affects apps ranging from obscure utilities to widely deployed and pre-installed software.

关键词

引用

@article{arxiv.2605.27667,
  title  = {Silent Consent, Persistent Risk: Android Permission Groups and Custom Permissions},
  author = {Olawale Amos Akanji and Manuel Egele and Gianluca Stringhini},
  journal= {arXiv preprint arXiv:2605.27667},
  year   = {2026}
}

备注

24 pages, 3 figures, 6 tables. To appear in the Proceedings of the 23rd Conference on Detection of Intrusions and Malware & Vulnerability Assessment (DIMVA 2026), July 1-3, 2026, Chania, Greece. Springer Lecture Notes in Computer Science (LNCS)