Mobile App Permission Risk Scorer
Assess the privacy and security risk of a mobile app based on its requested permissions. Each permission carries a base risk weight; dangerous permission combinations add bonus risk. The final score (0–100) classifies the app as Low, Moderate, High, or Critical risk.
Formula
Step 1 — Base Score:
BaseScore = Σ weight(pᵢ) for each selected permission pᵢ
Step 2 — Combination Bonus:
ComboScore = Σ bonus(cⱼ) for each dangerous combination cⱼ where all member permissions are selected
Step 3 — Category Adjustment:
RawScore = (BaseScore + ComboScore) × CategoryMultiplier
Step 4 — Normalization (0–100):
FinalScore = min(100, round(RawScore / MAX_RAW × 100))
where MAX_RAW = 332.8 (theoretical maximum: all permissions + all combos × max multiplier 1.3)
Risk Levels:
0–20 → Low | 21–45 → Moderate | 46–70 → High | 71–100 → Critical
Assumptions & References
- Permission weights (1–10) are derived from Android's dangerous permission classification and OWASP Mobile Top 10 severity ratings.
- Combination bonuses reflect known attack patterns: e.g., Accessibility + Internet is the primary vector for Android banking trojans (ESET Threat Report 2023).
- Category multiplier captures permission-purpose mismatch: a flashlight app (multiplier 1.3) requesting microphone is inherently more suspicious than a messaging app (multiplier 0.8) doing so.
- Normalization uses a linear scale against the theoretical maximum raw score (332.8) to produce an interpretable 0–100 index.
- References: Android Developers — Permissions overview; OWASP Mobile Security Testing Guide (MSTG); Google Play Policy — Dangerous permissions; NIST SP 800-163 (Vetting Mobile Apps).
- This tool scores declared permissions only. Runtime behavior, obfuscated code, or SDK-level data collection are not assessed.