SECURITY AND COMMUNICATION NETWORKS Security Comm. Networks (2014) Published online in Wiley Online Library (wileyonlinelibrary.com). DOI: 10.1002/sec.986 RESEARCH ARTICLE Realization of a user-centric, privacy preserving permission framework for Android Mohammad Nauman 1,2 *, Sohail Khan 1 , Abu Talib Othman 1 and Shahrulniza Musa 1 1 Universiti Kuala Lumpur, Malaysian Institute of Information Technology, 1016 Jalan Sultan Ismail, 50250 KL, Malaysia 2 Computer Science Research and Development Unit, 191/E3, Phase I, Hayatabad, Peshawar 25000, Pakistan ABSTRACT Android has been steadily gaining market share, and the number of available applications is increasing at a healthy pace. Because of the myriad of third-party applications, privacy concerns are starting to surface in the community. Application developers usually request access to more system resources than are strictly required for their apps. However, the stock Android permission model does not allow users to selectively grant permissions. This is a well-known issue, but existing solutions to this problem are either too abstract or require detailed changes to the core model—making it difficult for both developers and users to accept them. In this paper, we present a fine-grained, user-centric permission model for Android that allows users to selectively grant permissions to applications that they install. Our model allows specification of permissions based on application and system attributes as well as simple yes or no policies. The model is kept as simple as possible, and its open source implementation is highly usable for the average end user. It requires minimal backward compatible changes to the core permission model and is shown to be highly efficient in terms of performance overhead. We present our model and point interested readers to our freely available changeset to help them use, evaluate, and improve our permission model. Copyright © 2014 John Wiley & Sons, Ltd. KEYWORDS privacy; mobile platforms; Android; authorization *Correspondence Mohammad Nauman, Universiti Kuala Lumpur, Malaysian Institute of Information Technology, 1016 Jalan Sultan Ismail, 50250 KL, Malaysia. E-mail: nauman@csrdu.org 1. INTRODUCTION Recent times have seen a massive shift of end users from traditional personal computers to mobile devices— specifically smartphones and tablets [1]. The reason for this trend is the ubiquitous nature of these devices and the unique set of applications and services enabled by mobil- ity and increased computing power of these smaller-scale devices. Mobile devices can now carry larger amounts of data, display better and more user-friendly interfaces, and perform more complex computations than ever before. This, coupled with the always-on, carry-along nature of the smartphones means that they can be used for a wide spec- trum of services that would have been impossible with a personal computer. For example, there has been a boom in location-based services on smartphones with different businesses providing real-time information to customers based on their location and interests [2]. For provision of such services, the mobile device must house sensitive data, which the user might not want to share with all parties. In the aforementioned example, one might imagine a situation where the user would be willing to provide information about her location to one application but not to others. Similarly, the mobile phone, by its nature, is designed and used to store highly sen- sitive data such as contacts, photos, videos, and notes. This issue is compounded by the more novel sensors on modern smartphones, which are capable of gathering “fingerprinting” data such as the gait of the user [3], the patterns of their movement, and direction of the phone. The privacy consequences of a malicious application taking all this information and using it to profile a particular user are evident. To circumvent this issue, the “goodness” of applica- tions on modern smartphones is guaranteed through several models of trust: one model takes the guardian approach and ensures that only those applications are available to users, which have been studied in-depth by a group of experts. This model is followed by Apple for their iOS- based devices such as iPhone and iPad. The other equally Copyright © 2014 John Wiley & Sons, Ltd.