Description
Third-party libraries (3PLs), such as advertising networks, gaming networks, and analytics engines, are an integral part of modern mobile platforms. If Android developers want to integrate functionality provided by 3PLs, they must bundle opaque binary code into their applications. Unfortunately, developers must in essence overprivilege their Android applications by requesting dangerous permissions, such as full Internet access, solely for the purpose of supporting 3PLs. Mixing 3PLs and dangerous permissions introduces vulnerabilities and risks to potential compromise of private user data, especially in an uncurated application marketplace. This work presents AdDroid, a proof-of-concept implementation that applies the principle of least privilege to mobile applications and advertising 3PLs by introducing the notion of third-party privileges directly into the Android API. AdDroid minimizes the burden of change to application developers and consumers, improves privacy, and supplies independent controls for 3PLs. AdDroid eliminates overprivileging in 44% of advertising-supported free applications. We also study how much advertising-supported "free" applications may cost users in terms of their limited monthly data plans and how AdDroid addresses this concern. Finally, we present possible deployment plans of the new system.