Don’t bite off more than you can chew: Investigating Excessive Permission Requests in Trigger-Action Integrations
Keywords: Trigger-Action Platform, Permission Minimization
Abstract: Various web-based trigger-action platforms (TAPs) enable users to
integrate diverse Internet of Things (IoT) systems and online services into trigger-action integrations (TAIs), designed to facilitate
the functionality-rich automation tasks called applets. A typical TAI
involves at least three cooperative entities, i.e., the TAP, and the
participating trigger and action service providers. This multi-party
nature can render the integration susceptible to security and privacy
challenges though. Issues such as privileged action mis-triggering
and sensitive data leakage have been continuously reported from
existing applets by recent studies.
In this work, we investigate the cross-entity permission manage-
ment in TAIs, addressing the root causes of the applet-level security
and privacy issues that have been the focus of the literature in this
area. We advocate the permission-functionality consistency, aiming
to reclaim fairness when the user is requested for permissions. We
develop PFCon, which extracts the required permissions based on
all functionalities offered by an entity, and checks the consistency
between the required and requested permissions on users’ assets.
PFCon is featured in leveraging advanced GPT-based language
models to address the challenge in the TAI context that the textual
artifacts are short and written in an unformatted manner. We con-
duct a large-scale study on all TAIs built around IFTTT, the most
popular TAP. Our study unveils that nearly one third of the services
in these integrations request excessive permissions. Our findings
raise an alert to all service providers involved in TAIs, and encourage them to enforce the permission-functionality consistency.
Track: Systems and Infrastructure for Web, Mobile, and WoT
Submission Guidelines Scope: Yes
Submission Guidelines Blind: Yes
Submission Guidelines Format: Yes
Submission Guidelines Limit: Yes
Submission Guidelines Authorship: Yes
Student Author: Yes
Submission Number: 2547
Loading