| Summary: | The adage \there's an app for that" holds true in modern app stores. Indeed, app stores usually go further and provide multiple apps with very similar functionality; examples range from flashlight apps to alarm clocks. We call these functionally-similar apps. When searching for these apps, users are often presented with a vast array of choices, but no distinction is made in the user interface to highlight the relative privacy risks inherent in choosing one app over an- other. Yet the availability of many functionally-similar apps raises the question of whether some apps are significantly less invasive than others. In this paper, we take several steps toward answering this question. We begin by enumer- ating 2 500 groups of functionally-similar apps in the Google Play Store. Within groups of apps, we use static analysis to understand the real-world risks coming from apps with aggressive permission usage. By leveraging an established ranking system, and combining it with real-world data from over 28 000 Android devices, we quantify the improvements that can be made if users installed apps with privacy in mind. We observe that at least 25.6% of apps contain li- braries that gratuitously exploit available permissions and find that 43.5% of apps could be swapped for comparable alternatives that require fewer permissions. Permissions saved may deliver important privacy and security improvements, including preventing access to the calendar (in 24% of cases), sending text messages (12%) and recording audio (8%). This is particularly important for apps which embed third-party libraries, since library code executes with the same permissions as the app itself.
|
|---|