Abstract The Android app store hosts millions of applications developed by a vast number of developers, making it challenging for users to assess the trustworthiness of individual apps and their creators. To address privacy and security concerns, the Android permission system was developed to grant users control over each app’s access to sensitive data and system components. However, even if the core application is trustworthy, it often incorporates third-party libraries that inherit the same permissions as the host app. Techniques such as opportunistic permission usage and permission piggybacking allow these libraries to exploit available permissions and access user data without explicitly requesting permissions themselves. These practices are particularly prevalent among advertising and tracking libraries, which are notorious for extensive data collection. Although several studies have identified this privacy gap, no effective solution has been integrated into the Android ecosystem to date. In this work, we present a novel analysis methodology to detect permission piggybacking by third-party libraries and evaluate its impact on real-world applications. Our results reveal that permission piggybacking is highly prevalent, with 50% of third-party libraries attempting to exploit this loophole. These findings highlight an urgent need to implement existing mitigation strategies within Android to enhance user privacy and security.
Heid et al. (Mon,) studied this question.