AppPAL for Android: Capturing and Checking Mobile App Policies

Joseph Hallett, David Aspinall

Research output: Chapter in Book/Report/Conference proceedingConference contribution


It can be difficult to find mobile apps that respect one’s security and privacy. Businesses rely on employees enforcing company mobile device policies correctly. Users must judge apps by the information shown to them by the store. Studies have found that most users do not pay attention to an apps permissions during installation [19] and most users do not understand how permissions relate to the capabilities of an app [30]. To address these problems and more, we present AppPAL: a machinereadable policy language for Android that describes precisely when apps are acceptable. AppPAL goes beyond existing policy enforcement tools, like Kirin [16], adding delegation relationships to allow a variety of authorities to contribute to a decision. AppPAL also acts as a “glue”, allowing connection to a variety of local constraint checkers (e.g., static analysis tools, packager manager checks) to combine their results. As well as introducing AppPAL and some examples, we apply it to explore whether users follow certain intended policies in practice, finding privacy preferences and actual behaviour are not always aligned in the absence of a rigorous enforcement mechanism.
Original languageEnglish
Title of host publicationESSoS: International Symposium on Engineering Secure Software and Systems
Number of pages17
Publication statusPublished - 2016
Event8th International Symposium of Engineering Secure Software and Systems 2016 - London, United Kingdom
Duration: 6 Apr 20168 Apr 2016


Conference8th International Symposium of Engineering Secure Software and Systems 2016
Abbreviated titleESSoS 2016
Country/TerritoryUnited Kingdom
Internet address


Dive into the research topics of 'AppPAL for Android: Capturing and Checking Mobile App Policies'. Together they form a unique fingerprint.

Cite this