Mobile applications privacy : towards a methodology to identify over-privileged applications

Smart-phones are today used to perform a huge amount of online activities. They are used as interfaces to access the cloud, as storage resource, as social network tools, agenda, digital wallet, digital identity repository etc. In other words smart-phone are today the citizen's digital companion, and, as such, they are the explicit or implicit repository of a huge amount of personal information. The criticality of these devices is generally due to the following considerations: 1. Being mobile by nature, they are exposed full-time to a potentially adverse environment; 2. The need,for mobile applications, to cut the development costs to maintain the price appealing for the mobile-application market, is often translated into a quick prototyping approach, rather than a careful cybersecurity oriented code development; 3. Being the smart-phone strongly linked to their owner, a successful exploitation of a smart-phone can directly impact the security and privacy of its owner. One of the major source of back-doors of mobile applications, is the bad use of privilege permissions. Developers tend to attribute to their applications as much permission rights as possible, even if they are not indeed needed.Malicious applications can leverage of these permissions to create covert channels allowing to get private information stored into the smartphone. In this report we investigate on the "Declarative permissions scheme model" on which relies the security layer of Android, proposing an innovative technique combining together dynamic and static analysis to profile mobile applications and identify if they are over-privileged.