{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,6,19]],"date-time":"2025-06-19T04:08:03Z","timestamp":1750306083194,"version":"3.41.0"},"reference-count":88,"publisher":"Association for Computing Machinery (ACM)","issue":"4","license":[{"start":{"date-parts":[[2017,7,11]],"date-time":"2017-07-11T00:00:00Z","timestamp":1499731200000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/www.acm.org\/publications\/policies\/copyright_policy#Background"}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":["ACM Trans. Inf. Syst."],"published-print":{"date-parts":[[2017,10,31]]},"abstract":"<jats:p>Mobile apps frequently request access to sensitive data, such as location and contacts. Understanding the purpose of why sensitive data is accessed could help improve privacy as well as enable new kinds of access control. In this article, we propose a text mining based method to infer the purpose of sensitive data access by Android apps. The key idea we propose is to extract multiple features from app code and then use those features to train a machine learning classifier for purpose inference. We present the design, implementation, and evaluation of two complementary approaches to infer the purpose of permission use, first using purely static analysis, and then using primarily dynamic analysis. We also discuss the pros and cons of both approaches and the trade-offs involved.<\/jats:p>","DOI":"10.1145\/3086677","type":"journal-article","created":{"date-parts":[[2017,7,11]],"date-time":"2017-07-11T20:00:35Z","timestamp":1499803235000},"page":"1-40","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":31,"title":["Understanding the Purpose of Permission Use in Mobile Apps"],"prefix":"10.1145","volume":"35","author":[{"given":"Haoyu","family":"Wang","sequence":"first","affiliation":[{"name":"Beijing University of Posts and Telecommunications"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Yuanchun","family":"Li","sequence":"additional","affiliation":[{"name":"Peking University"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Yao","family":"Guo","sequence":"additional","affiliation":[{"name":"Peking University"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Yuvraj","family":"Agarwal","sequence":"additional","affiliation":[{"name":"Carnegie Mellon University"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Jason I.","family":"Hong","sequence":"additional","affiliation":[{"name":"Carnegie Mellon University"}],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"320","published-online":{"date-parts":[[2017,7,11]]},"reference":[{"doi-asserted-by":"publisher","key":"e_1_2_1_1_1","DOI":"10.1145\/2462456.2464460"},{"doi-asserted-by":"publisher","key":"e_1_2_1_2_1","DOI":"10.1145\/2702123.2702210"},{"volume-title":"Proceedings of the PETools.","year":"2013","author":"Amini Shahriyar","key":"e_1_2_1_3_1"},{"unstructured":"Apktool 2016. Apktool: A tool for reverse engineering Android apk files. Retrieved from https:\/\/code.google.com\/p\/android-apktool\/.  Apktool 2016. Apktool: A tool for reverse engineering Android apk files. Retrieved from https:\/\/code.google.com\/p\/android-apktool\/.","key":"e_1_2_1_4_1"},{"unstructured":"AppStore 2016. Wikipedia App Store (iOS). Retrieved from https:\/\/en.wikipedia.org\/wiki\/App_Store_(iOS).  AppStore 2016. Wikipedia App Store (iOS). Retrieved from https:\/\/en.wikipedia.org\/wiki\/App_Store_(iOS).","key":"e_1_2_1_5_1"},{"doi-asserted-by":"publisher","key":"e_1_2_1_6_1","DOI":"10.1145\/2594291.2594299"},{"doi-asserted-by":"publisher","key":"e_1_2_1_7_1","DOI":"10.1145\/2382196.2382222"},{"doi-asserted-by":"publisher","key":"e_1_2_1_8_1","DOI":"10.1145\/2664243.2664265"},{"doi-asserted-by":"publisher","key":"e_1_2_1_9_1","DOI":"10.1007\/978-3-642-36742-7_39"},{"doi-asserted-by":"publisher","key":"e_1_2_1_10_1","DOI":"10.1145\/2501604.2501616"},{"doi-asserted-by":"publisher","key":"e_1_2_1_11_1","DOI":"10.1145\/2184489.2184500"},{"doi-asserted-by":"publisher","key":"e_1_2_1_12_1","DOI":"10.1145\/2976749.2978422"},{"doi-asserted-by":"publisher","key":"e_1_2_1_13_1","DOI":"10.5555\/2534766.2534778"},{"unstructured":"C4.5 2016. Wikipedia. C4.5 Algorithm. (2016). http:\/\/en.wikipedia.org\/wiki\/C4.5_algorithm.  C4.5 2016. Wikipedia. C4.5 Algorithm. (2016). http:\/\/en.wikipedia.org\/wiki\/C4.5_algorithm.","key":"e_1_2_1_14_1"},{"unstructured":"CaffeineMark 2016. CaffeineMark. Retrieved from https:\/\/play.google.com\/store\/apps\/details?id&equals;com.android.cm38hl&equals;zh_CN.  CaffeineMark 2016. CaffeineMark. Retrieved from https:\/\/play.google.com\/store\/apps\/details?id&equals;com.android.cm38hl&equals;zh_CN.","key":"e_1_2_1_15_1"},{"doi-asserted-by":"publisher","key":"e_1_2_1_16_1","DOI":"10.1145\/2335356.2335358"},{"unstructured":"Cross-Validation 2016. Wikipedia. Cross-validation. Retrieved from https:\/\/en.wikipedia.org\/wiki\/Cross-validation_(statistics).  Cross-Validation 2016. Wikipedia. Cross-validation. Retrieved from https:\/\/en.wikipedia.org\/wiki\/Cross-validation_(statistics).","key":"e_1_2_1_17_1"},{"doi-asserted-by":"publisher","key":"e_1_2_1_18_1","DOI":"10.1145\/2462456.2464462"},{"volume-title":"Proceedings of the Mobile Security Technologies.","year":"2012","author":"Davis Benjamin","key":"e_1_2_1_19_1"},{"unstructured":"Dex2jar 2016. dex2jar. Retrieved from https:\/\/code.google.com\/p\/dex2jar\/.  Dex2jar 2016. dex2jar. Retrieved from https:\/\/code.google.com\/p\/dex2jar\/.","key":"e_1_2_1_20_1"},{"volume-title":"Proceedings of the Workshop on the Economics of Information Security (WEIS).","year":"2012","author":"Egelman Serge","key":"e_1_2_1_21_1"},{"volume-title":"Proceedings of the 9th USENIX Conference on Operating Systems Design and Implementation (OSDI\u201910)","author":"Enck William","key":"e_1_2_1_22_1"},{"doi-asserted-by":"publisher","key":"e_1_2_1_23_1","DOI":"10.5555\/2028067.2028088"},{"doi-asserted-by":"publisher","key":"e_1_2_1_24_1","DOI":"10.1145\/1653662.1653691"},{"doi-asserted-by":"publisher","key":"e_1_2_1_25_1","DOI":"10.1145\/2335356.2335360"},{"doi-asserted-by":"publisher","key":"e_1_2_1_26_1","DOI":"10.1145\/1999732.1999740"},{"unstructured":"GooglePlay 2016. Wikipedia. Google Play. Retrieved from http:\/\/en.wikipedia.org\/wiki\/Google_Play.  GooglePlay 2016. Wikipedia. Google Play. Retrieved from http:\/\/en.wikipedia.org\/wiki\/Google_Play.","key":"e_1_2_1_27_1"},{"doi-asserted-by":"publisher","key":"e_1_2_1_28_1","DOI":"10.14722\/ndss.2015.23089"},{"doi-asserted-by":"publisher","key":"e_1_2_1_29_1","DOI":"10.1145\/2568225.2568276"},{"doi-asserted-by":"publisher","key":"e_1_2_1_30_1","DOI":"10.1145\/2556288.2556978"},{"volume-title":"Proceedigns of the 23rd USENIX Security Symposium (USENIX Security\u201914)","year":"2014","author":"Heuser Stephan","key":"e_1_2_1_31_1"},{"doi-asserted-by":"publisher","key":"e_1_2_1_32_1","DOI":"10.1145\/2046707.2046780"},{"doi-asserted-by":"publisher","key":"e_1_2_1_33_1","DOI":"10.1145\/1982595.1982612"},{"doi-asserted-by":"publisher","key":"e_1_2_1_34_1","DOI":"10.1145\/2771783.2771803"},{"doi-asserted-by":"publisher","key":"e_1_2_1_35_1","DOI":"10.1145\/2702123.2702370"},{"unstructured":"JD-Core-Java 2016. JD-Core-Java. Retrieved from http:\/\/jd.benow.ca\/.  JD-Core-Java 2016. JD-Core-Java. Retrieved from http:\/\/jd.benow.ca\/.","key":"e_1_2_1_36_1"},{"doi-asserted-by":"publisher","key":"e_1_2_1_37_1","DOI":"10.1145\/2483760.2483777"},{"doi-asserted-by":"publisher","key":"e_1_2_1_38_1","DOI":"10.1145\/2557547.2557549"},{"doi-asserted-by":"publisher","key":"e_1_2_1_39_1","DOI":"10.1145\/2381934.2381944"},{"doi-asserted-by":"publisher","key":"e_1_2_1_40_1","DOI":"10.1145\/2470654.2466466"},{"unstructured":"LibRadar 2016. LibRadar: Detecting Libraries in Android Apps. Retrieved from http:\/\/radar.pkuos.org\/. (2016).  LibRadar 2016. LibRadar: Detecting Libraries in Android Apps. Retrieved from http:\/\/radar.pkuos.org\/. (2016).","key":"e_1_2_1_41_1"},{"unstructured":"LibSVM 2016. LIBSVM\u2014A Library for Support Vector Machines. Retrieved from https:\/\/www.csie.ntu.edu.tw\/ cjlin\/libsvm\/.  LibSVM 2016. LIBSVM\u2014A Library for Support Vector Machines. Retrieved from https:\/\/www.csie.ntu.edu.tw\/ cjlin\/libsvm\/.","key":"e_1_2_1_42_1"},{"doi-asserted-by":"publisher","key":"e_1_2_1_43_1","DOI":"10.1145\/2370216.2370290"},{"volume-title":"Proceedings of the 2014 Symposium On Usable Privacy and Security (SOUPS\u201914)","author":"Lin Jialiu","key":"e_1_2_1_44_1"},{"doi-asserted-by":"publisher","key":"e_1_2_1_45_1","DOI":"10.1145\/2597073.2597109"},{"doi-asserted-by":"publisher","key":"e_1_2_1_46_1","DOI":"10.1145\/2742647.2742668"},{"unstructured":"Looper 2016. Looper. Retrieved from http:\/\/developer.android.com\/reference\/android\/os\/Looper.html.  Looper 2016. Looper. Retrieved from http:\/\/developer.android.com\/reference\/android\/os\/Looper.html.","key":"e_1_2_1_47_1"},{"doi-asserted-by":"publisher","key":"e_1_2_1_48_1","DOI":"10.1145\/2889160.2889178"},{"unstructured":"Mallet 2016. Mallet: MAchine Learning for LanguagE ToolkiT. Retrieved from http:\/\/mallet.cs.umass.edu\/.  Mallet 2016. Mallet: MAchine Learning for LanguagE ToolkiT. Retrieved from http:\/\/mallet.cs.umass.edu\/.","key":"e_1_2_1_49_1"},{"doi-asserted-by":"publisher","key":"e_1_2_1_50_1","DOI":"10.1145\/1620545.1620547"},{"unstructured":"Maximum Entropy 2016. Wikipedia Maximum Entropy. Retrieved from http:\/\/en.wikipedia.org\/wiki\/Maximum_entropy.  Maximum Entropy 2016. Wikipedia Maximum Entropy. Retrieved from http:\/\/en.wikipedia.org\/wiki\/Maximum_entropy.","key":"e_1_2_1_51_1"},{"unstructured":"Monkey 2016. UI\/Application Exerciser Monkey. Retrieved from developer.android.com\/tools\/help\/monkey.html.  Monkey 2016. UI\/Application Exerciser Monkey. Retrieved from developer.android.com\/tools\/help\/monkey.html.","key":"e_1_2_1_52_1"},{"unstructured":"MultipleThreads 2016. MultipleThreads. Retrieved from http:\/\/developer.android.com\/intl\/en-us\/training\/multiple-threads\/index.html.  MultipleThreads 2016. MultipleThreads. Retrieved from http:\/\/developer.android.com\/intl\/en-us\/training\/multiple-threads\/index.html.","key":"e_1_2_1_53_1"},{"doi-asserted-by":"publisher","key":"e_1_2_1_54_1","DOI":"10.1145\/1755688.1755732"},{"doi-asserted-by":"publisher","key":"e_1_2_1_55_1","DOI":"10.1109\/ACSAC.2009.39"},{"volume-title":"Proceedings of the 22nd USENIX Conference on Security (SEC\u201913)","year":"2013","author":"Pandita Rahul","key":"e_1_2_1_56_1"},{"doi-asserted-by":"publisher","key":"e_1_2_1_57_1","DOI":"10.1145\/2414456.2414498"},{"unstructured":"PermissionMappings 2015. Permission mappings. Retrieved from http:\/\/pscout.csl.toronto.edu\/.  PermissionMappings 2015. Permission mappings. Retrieved from http:\/\/pscout.csl.toronto.edu\/.","key":"e_1_2_1_58_1"},{"unstructured":"Porter 2015. The Porter Stemming Algorithm. Retrieved from http:\/\/tartarus.org\/martin\/PorterStemmer\/.  Porter 2015. The Porter Stemming Algorithm. Retrieved from http:\/\/tartarus.org\/martin\/PorterStemmer\/.","key":"e_1_2_1_59_1"},{"unstructured":"PrivacyGrade 2015. PrivacyGrade: Grading the privacy of smartphone apps. Retrieved from http:\/\/privacygrade.org\/.  PrivacyGrade 2015. PrivacyGrade: Grading the privacy of smartphone apps. Retrieved from http:\/\/privacygrade.org\/.","key":"e_1_2_1_60_1"},{"volume-title":"API","year":"2015","key":"e_1_2_1_61_1"},{"unstructured":"PScout ContentProvider 2015. Content Provider (URI strings) with permissions. Retrieved from http:\/\/pscout.csl.toronto.edu\/download.php?file&equals;results\/jellybean_contentproviderpermission.  PScout ContentProvider 2015. Content Provider (URI strings) with permissions. Retrieved from http:\/\/pscout.csl.toronto.edu\/download.php?file&equals;results\/jellybean_contentproviderpermission.","key":"e_1_2_1_62_1"},{"unstructured":"PScout Intent 2015. Intents with Permissions. Retrieved from http:\/\/pscout.csl.toronto.edu\/download.php?file&equals;results\/jellybean_intentpermissions.  PScout Intent 2015. Intents with Permissions. Retrieved from http:\/\/pscout.csl.toronto.edu\/download.php?file&equals;results\/jellybean_intentpermissions.","key":"e_1_2_1_63_1"},{"doi-asserted-by":"publisher","key":"e_1_2_1_64_1","DOI":"10.1145\/2660267.2660287"},{"volume-title":"Proceedings of the 22nd USENIX Conference on Security (SEC\u201913)","year":"2013","author":"Roesner Franziska","key":"e_1_2_1_65_1"},{"volume-title":"Proceedings of the 10th International Conference on Security and Cryptography (SECRYPT\u201913)","year":"2013","author":"Sarwar Golam","key":"e_1_2_1_66_1"},{"doi-asserted-by":"publisher","key":"e_1_2_1_67_1","DOI":"10.1016\/j.istr.2012.10.006"},{"unstructured":"SciKit 2016. Scikit-learn Machine learning in Python. Retrieved from http:\/\/scikit-learn.org\/stable\/index.html.  SciKit 2016. Scikit-learn Machine learning in Python. Retrieved from http:\/\/scikit-learn.org\/stable\/index.html.","key":"e_1_2_1_68_1"},{"volume-title":"Proceedings of the 21st USENIX Conference on Security Symposium (Security\u201912)","author":"Shekhar Shashi","key":"e_1_2_1_69_1"},{"doi-asserted-by":"publisher","key":"e_1_2_1_70_1","DOI":"10.1145\/2702123.2702404"},{"doi-asserted-by":"publisher","key":"e_1_2_1_71_1","DOI":"10.1145\/2556288.2557421"},{"volume-title":"Proceedings of the Workshop on Mobile Security Technologies (MoST).","year":"2012","author":"Stevens Ryan","key":"e_1_2_1_72_1"},{"unstructured":"StringMatching 2016. Wikipedia Approximate String Matching. Retrieved from http:\/\/en.wikipedia.org\/wiki\/Approximate_string_matching.  StringMatching 2016. Wikipedia Approximate String Matching. Retrieved from http:\/\/en.wikipedia.org\/wiki\/Approximate_string_matching.","key":"e_1_2_1_73_1"},{"unstructured":"SVM 2016. Wikipedia Support Vector Machine. Retrieved from http:\/\/en.wikipedia.org\/wiki\/Support_vector_machine.  SVM 2016. Wikipedia Support Vector Machine. Retrieved from http:\/\/en.wikipedia.org\/wiki\/Support_vector_machine.","key":"e_1_2_1_74_1"},{"volume-title":"Proceedings of the 10th USENIX Conference on Operating Systems Design and Implementation (OSDI\u201912)","year":"2012","author":"Tang Yang","key":"e_1_2_1_75_1"},{"doi-asserted-by":"publisher","key":"e_1_2_1_76_1","DOI":"10.1145\/1864349.1864364"},{"volume-title":"Proceedings of the 23rd USENIX Conference on Security Symposium (Security\u201914)","year":"2014","author":"Tripp Omer","key":"e_1_2_1_77_1"},{"doi-asserted-by":"publisher","key":"e_1_2_1_78_1","DOI":"10.1145\/2771783.2771795"},{"doi-asserted-by":"publisher","key":"e_1_2_1_79_1","DOI":"10.1109\/GLOCOM.2015.7417621"},{"doi-asserted-by":"publisher","key":"e_1_2_1_80_1","DOI":"10.1145\/2750858.2805833"},{"doi-asserted-by":"publisher","key":"e_1_2_1_81_1","DOI":"10.1145\/3038912.3052712"},{"doi-asserted-by":"publisher","key":"e_1_2_1_82_1","DOI":"10.1109\/CSE.2014.132"},{"volume-title":"11th Symposium On Usable Privacy and Security (SOUPS","year":"2015","author":"Watanabe Takuya","key":"e_1_2_1_83_1"},{"unstructured":"WordList 2015. English wordlist. (2015). http:\/\/www-personal.umich.edu\/jlawler\/wordlist.  WordList 2015. English wordlist. (2015). http:\/\/www-personal.umich.edu\/jlawler\/wordlist.","key":"e_1_2_1_84_1"},{"volume-title":"Proceedings of the 21st USENIX Conference on Security Symposium (Security\u201912)","year":"2012","author":"Xu Rubin","key":"e_1_2_1_85_1"},{"doi-asserted-by":"publisher","key":"e_1_2_1_86_1","DOI":"10.5555\/2818754.2818793"},{"doi-asserted-by":"publisher","key":"e_1_2_1_87_1","DOI":"10.1145\/2508859.2516676"},{"doi-asserted-by":"publisher","key":"e_1_2_1_88_1","DOI":"10.5555\/2022245.2022255"}],"container-title":["ACM Transactions on Information Systems"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3086677","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3086677","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,6,18]],"date-time":"2025-06-18T03:30:13Z","timestamp":1750217413000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3086677"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2017,7,11]]},"references-count":88,"journal-issue":{"issue":"4","published-print":{"date-parts":[[2017,10,31]]}},"alternative-id":["10.1145\/3086677"],"URL":"https:\/\/doi.org\/10.1145\/3086677","relation":{},"ISSN":["1046-8188","1558-2868"],"issn-type":[{"type":"print","value":"1046-8188"},{"type":"electronic","value":"1558-2868"}],"subject":[],"published":{"date-parts":[[2017,7,11]]},"assertion":[{"value":"2016-07-01","order":0,"name":"received","label":"Received","group":{"name":"publication_history","label":"Publication History"}},{"value":"2017-04-01","order":1,"name":"accepted","label":"Accepted","group":{"name":"publication_history","label":"Publication History"}},{"value":"2017-07-11","order":2,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}