WWW2024
Don't Bite Off More than You Can Chew: Investigating Excessive Permission Requests in Trigger-Action Integrations
Liuhuo Wan, Kailong Wang, Kulani Mahadewa, Haoyu Wang, Guangdong Bai
4 citations
Abstract
Web-based trigger-action platforms (TAP) allow users to integrate Internet of Things (IoT) systems and online services into triggeraction integrations (TAIs), facilitating rich automation tasks known as applets. Despite their benefits, these integrations (typically involving the TAP, trigger, and action service providers) pose significant security and privacy challenges, such as mis-triggering and data leakage. This work investigates cross-entity permission management within TAIs to address the underlying causes of these security and privacy issues, emphasizing permission-functionality consistency to ensure fairness in permission requests. We introduce PFCon, a system that leverages GPT-based language models for analyzing required and requested permissions, revealing excessive permission requests in a large-scale study of IFTTT TAP. Our findings highlight the need for service providers to enforce permission-functionality consistency, raising awareness of the importance of security and privacy in TAI. CCS CONCEPTS • Security and privacy → Web application security; • Networks → Network privacy and anonymity.