Applications (apps) are arguably the lifeline of today's mobile terminals. Their immense popularity is evident from the thousands of available apps. One reason applications are so popular and useful is because they provide services highly customized to different aspects of life, from recommending location based places of interest to monitoring health. One downside is that to provide such services, the applications collect personal information about the user. This personal information is generally monitored by the many hardware and logical sensors present in mobiles phones. These sensors include, but are not limited to, global positioning system (GPS) sensors, accelerometers, and/or the like. Such personal information is very sensitive and has grave privacy implications if misused.
To avoid such personal data misuse, most operating systems for mobile terminals provide a needs-based access control model where access to data collected by a sensor is only given to an application after explicit authorization by the user. At a high level, applications declare a list of sensors to which they need access (to provide their functionality) in a manifest file. Then during installation, the manifest file is read and the list of required sensors is presented to the user. In other examples, the application may only be installed if the user agrees to the requested sensor access. After installation, the mobile operating system provides the needed access control to ensure that the application is only allowed access to those sensors as declared in its manifest file.
While the manifest file and the mobile operating system access restrictions act as a deterrent, studies have shown that such a model is not sufficient by itself. Many applications have been observed to misuse the install-time access given to them at run-time. For example, while a weather application may request legitimate access to the user's location after installation, there would be nothing stopping that weather application from retrieving the user's location every few seconds and feeding it to an external server at run time. Therefore without the ability to express and control run-time characteristics of the application, such as the frequency of access, a user's privacy may be at risk.