Understanding the Bad Development Practices of Android Custom Permissions in the Wild

Android system provides application developers with the ability to define custom permissions, which serve to moderate the sharing of resources and interactionswith other applications. However, poor development practices of developers can render the permission mechanism ineffective, weakening the system protection. This paper presents a comprehensive examination of the problematic practices surrounding custom permissions employed by developers, referred to as Bad Practices of Custom Permissions (BPCP issues). To accomplish this, we conducted an empirical study and identified nine common BPCP issue patterns that can lead to various adverse consequences, such as installation failures, crashes, oreven component hijacking. To automatically identify these patterns of bad practices, we devised PERMEAGRE, a static analysis tool. Using PERMEAGRE, we performed a large-scale analysis of 83,085 applications obtained from seven major app markets, aiming to detect instances of BPCP issues. The results revealed that more than 26% of the analyzed apps contained at least one issue, and a significant number of apps had garnered millions of downloads. Drawing from the empirical results, we further systemize the underlying root causes of these issues. Consequently, this analysis sheds light on the potential threat landscape associated with bad practices in custom permissions, emphasizing the urgent requirement for effective mitigation strategies.