A multi-dimensional measure for intrusion: the intrusiveness quality attribute

Abstract

Security in personal devices like mobile phones, tablets, is a major concern because these devices often carry sensitive information. Device platforms (e.g. Android) implement "limit access" and "authorize" security tactics to protect privacy/security-sensitive resources against misuse by an app. For instance, Android defines a set of 100+ permissions that guard resources such as phonebook data, network sockets and so on. However, due to poor understanding of these complex permissions, users inadvertently grant dangerous permissions to the apps, which defeat the security tactics implemented. Thus, security of a device is directly related to the capabilities granted to the intruder (app in this case). In this paper, we define a new quality attribute (QA) called Intrusiveness of an app, which characterizes the capabilities of an app to cause violation of personal and operational information of the user/device. We suggest a framework to compute "in-trusiveness" on a given platform. Intrusiveness of an app is represented as a 4-tuple. This tuple characterizes the extent to which the permissions, that are being sought by an app, could compromise in 4 dimensions of information, viz. User, Device, Carrier and the External World. It helps the user to realize the nature of privacy-sensitive resources that (s)he is exposing to the app. Efficacy of our framework is demonstrated by examining intrusiveness of 814 most popular free apps on Android. The Intrusiveness QA could be used to compute potential violation of User Personal Privacy, User Locational Privacy and violation of Device Integrity. Our analysis shows that 84% of apps examined are in a position to compromise User Personal Privacy, 96% can comprise Device Integrity and 92% can compromise Locational Privacy.