Developing a permission-based android mobile privacy risk model through deployment of analytics and visualisation techniques

The exponential increase in data input on mobile devices has resulted in the creation of highly personalised and convenient mechanisms for aggregating and tracking user data. However, mobile security threats, specifically on Android devices, have surged, surpassing the rising numbers of bank fraud, social media account takeovers, and personal information leaks.

This indicates that mobile users often remain unaware of the security threats embedded in routine application behaviour. For example, permissions such as access to the network state, while deemed non dangerous by the Android permission architecture, can allow for behavioural profiling and the transmission of data to third parties. These permissions operate in the background, silently collecting and sharing data between applications. This implies that seemingly benign applications, such as the Clock or Camera application, have the capacity to compromise confidentiality by gaining access to other applications within the same permission group. As a result, users are kept unaware of which data assets their permissions share. This information gap persists, leaving individuals uncertain about the extent of their data exposure. The integration of permission-based models by mobile platforms is a response to these concerns. However, there is a lack of consistent adherence to the General Data Protection Regulations (GDPR) among application designers. This allows app providers, app developers and third parties integrated into these applications to access sensitive data without obtaining user consent. The proliferation of third-party libraries, along with the utilisation of unique identifiers such as the Android Advertising ID (AAID) and physical tracking mechanisms, significantly exacerbates privacy concerns. These practices facilitate the development of personalised user profiles without the individual's knowledge or consent.

To address this issue, this dissertation undertakes a critical examination of the permissions embedded in the Android mobile infrastructure. It demonstrates how these permissions may inadvertently reveal sensitive user information, identify user behaviour patterns, and be disseminated to other applications without contravening the General Data Protection Regulation guidelines. To demonstrate these issues, a static analysis was conducted on 103 first-party and third-party Android applications, with a focus on their permissions. Further manual investigation was carried out to determine their actual purpose and assess the associated privacy risks. In response, this dissertation introduces a structured privacy risk assessment model that evaluates the potential risk posed by mobile application permissions, offering a practical framework for identifying, categorising, and mitigating privacy threats. Beyond its immediate application, this model lays the groundwork for future enhancements such as dynamic analysis, inter-app behaviour modelling, machine learning integration, and user-centric evaluation to bolster mobile security and support transparent, GDPR compliant privacy practices.