Within the Android mobile operating system, Android permissions act as a system of safeguards designed to restrict access to potentially sensitive data and privileged components. Multiple research studies indicate flaws and limitations of the Android permission system, prompting Google to implement a more regulated and fine-grained permission model. This newly-introduced complexity creates confusion for developers leading to incorrect permissions and a significant risk to users security and privacy. We present a systematic study of theoretical and practical misuse of permissions. For this analysis we derive the unified permissions and call mappings that represent theoretical requirements of permissions and calls. We develop PChecker, an approach that identifies the discrepancies between the official Android permissions documentation and permission implementation in the Android platform source code based on these mappings. We evaluate four versions of the Android Open Source Project code (major versions 10–13) and shed light on the prevalence of discrepancies between the official Android guidelines for permissions and their implementation in the Android platform source code. We further show that these discrepancies result in miscompliance in third-party Android apps.

中文翻译：

---

Android 权限系统的测量和表征（错误）合规性

在 Android 移动操作系统中，Android 权限充当保护系统，旨在限制对潜在敏感数据和特权组件的访问。多项研究表明 Android 权限系统存在缺陷和局限性，促使 Google 实施更加规范和细粒度的权限模型。这种新引入的复杂性给开发人员带来了困惑，导致权限不正确，并对用户安全和隐私造成重大风险。我们对权限滥用的理论和实践进行了系统的研究。为了进行此分析，我们得出了统一的权限和调用映射，它们代表了权限和调用的理论要求。我们开发了 PChecker，一种根据这些映射来识别 Android 官方权限文档与 Android 平台源代码中的权限实现之间的差异的方法。我们评估了 Android 开源项目代码的四个版本（主要版本 10-13），并揭示了官方 Android 权限指南与其在 Android 平台源代码中的实现之间普遍存在的差异。我们进一步表明，这些差异会导致第三方 Android 应用程序不合规。