Don’t bite off more than you can chew: Investigating Excessive Permission Requests in Trigger-Action Integrations

Liuhuo Wan; Kailong Wang; Kulani Tharaka Mahadewa; Haoyu Wang; Guangdong Bai

Don’t bite off more than you can chew: Investigating Excessive Permission Requests in Trigger-Action Integrations

Liuhuo Wan, Kailong Wang, Kulani Tharaka Mahadewa, Haoyu Wang, Guangdong Bai

Published: 23 Jan 2024, Last Modified: 23 May 2024TheWebConf24 OralEveryoneRevisionsBibTeX

Keywords: Trigger-Action Platform, Permission Minimization

Abstract: Various web-based trigger-action platforms (TAPs) enable users to integrate diverse Internet of Things (IoT) systems and online services into trigger-action integrations (TAIs), designed to facilitate the functionality-rich automation tasks called applets. A typical TAI involves at least three cooperative entities, i.e., the TAP, and the participating trigger and action service providers. This multi-party nature can render the integration susceptible to security and privacy challenges though. Issues such as privileged action mis-triggering and sensitive data leakage have been continuously reported from existing applets by recent studies. In this work, we investigate the cross-entity permission manage- ment in TAIs, addressing the root causes of the applet-level security and privacy issues that have been the focus of the literature in this area. We advocate the permission-functionality consistency, aiming to reclaim fairness when the user is requested for permissions. We develop PFCon, which extracts the required permissions based on all functionalities offered by an entity, and checks the consistency between the required and requested permissions on users’ assets. PFCon is featured in leveraging advanced GPT-based language models to address the challenge in the TAI context that the textual artifacts are short and written in an unformatted manner. We con- duct a large-scale study on all TAIs built around IFTTT, the most popular TAP. Our study unveils that nearly one third of the services in these integrations request excessive permissions. Our findings raise an alert to all service providers involved in TAIs, and encourage them to enforce the permission-functionality consistency.

Track: Systems and Infrastructure for Web, Mobile, and WoT

Submission Guidelines Scope: Yes

Submission Guidelines Blind: Yes

Submission Guidelines Format: Yes

Submission Guidelines Limit: Yes

Submission Guidelines Authorship: Yes

Student Author: Yes

Submission Number: 2547

Loading