Android智慧型手機使用者難以藉由應用程式要求的許可權限來理解該程式的安全與隱私風險。對使用者來說，需要有額外的資訊來評斷應用程式的安全與隱私風險，從而決定是否要安裝與使用應用程式。有鑒於此，本研究提出一個基於區塊鏈技術的評價鏈服務：首先，該評價鏈服務以樹狀結構整合關於一個程式來自世界各地的評價資訊，本研究將之稱為評價資訊樹，以便讓應用程式使用者可經由此評價資訊樹的結構去查詢與提供應用程式的評價資訊。此外，本研究採用了比特幣的區塊鏈技術，所需的資源可以經由使用者及其他自願者提供，避免單一團體控制所有提供的資訊。最後，本研究所提出之服務也提供彈性的方法，讓程式開發者及市集供應者能嵌入評價資訊到程式中，減少取得基本評價資訊花費的成本。因此，本研究可望能藉由讓使用者取得更多評價資訊來了解行動應用程式的安全及隱私風險，從而協助保護使用者的安全與隱私。

The Android platform requests Android applications to obtain permission to access sensitive functions of user smartphones. However, users may have trouble understanding security and privacy risks of Android smartphone applications based on permission requested by the applications. Therefore, they may need reputation information about the applications to decide whether or not to use the applications.
To address the issue, this study propose a blockchain-based reputation service for Android applications. The proposed reputation service provides a scheme to integrate reputation information about an application, such as comments, reviews, security analysis results, and so on, around the world with tree structures. Therefore, people can send requests to perform query and update operations on reputation information of applications. Moreover, the proposed service adopts the blockchain technology used in the Bitcoin to manage reputation information. Therefore, the service can be provided based on resources of application users and other volunteers so that no single party can control the service. Moreover, this study proposes a flexible means for application developers or marketplace providers to embed reputation information into applications. Therefore, users can obtain reputation information of applications from the APK files of the applications directly and query advanced information from the reputation service on demand to reduce the burden of the reputation service. While users can obtain more reputation information about applications, the study can hopefully contribute to enable users to understand application security and privacy risks.

[1] European Commission Article 29 Data Protection Working Party. "Opinion 02/2013 on apps on smart devices," 00461/13/EN, WP 202, 2013.
[2] Kamala D. Harris. "Privacy on the go, recommendations for the mobile ecosystem," California Dept of Justice Recommendations, 2013.
[3] IDC Research, Inc. "Smartphone os market share, 2015 q2," IDC Research Report. Retrieved 2016/3/26 from http://www.idc.com/prodserv/smartphone-os-market-share.jsp, 2013.
[4] Nikolay Elenkov. "Android Security Internals: An In-Depth Guide to Android's Security Architecture," No Starch Press, nov 2014.
[5] Ian Lake. "Building better apps with runtime permissions," Android Developers Blog, Retrieved from http://android-developers.blogspot.tw/2015/08/building-better-apps-with-runtime.html, 2015.
[6] Erika Chin, Adrienne Porter Felt, Kate Greenwood, and David Wagner. "Analyzing inter-application communication in android," In Proceedings of the 9th International Conference on Mobile Systems, Applications, and Services, MobiSys '11, pages 239-252, New York, NY, USA, 2011. ACM.
[7] Zhi Xu and Sencun Zhu. "Semadroid: A privacy-aware sensor management framework for smartphones," In Proceedings of the 5th ACM Conference on Data and Application Security and Privacy, CODASPY '15, pages 61-72, New York, NY, USA, 2015. ACM.
[8] Zhemin Yang, Min Yang, Yuan Zhang, Guofei Gu, Peng Ning, and X. Sean Wang. "Appintent: analyzing sensitive data transmission in android for privacy leakage detection," In Proceedings of the 2013 ACM SIGSAC conference on Computer and communications security, CCS '13, pages 1043-1054, New York, NY, USA, 2013. ACM.
[9] Adrienne Porter Felt, Elizabeth Ha, Serge Egelman, Ariel Haney, Erika Chin, and David Wagner. "Android permissions: User attention, comprehension, and behavior," In Proceedings of the Eighth Symposium on Usable Privacy and Security, SOUPS'12, pages 3:1-3:14, New York, NY, USA, 2012. ACM.
[10] Patrick Gage Kelley, Sunny Consolvo, Lorrie Faith Cranor, Jaeyeon Jung, Norman Sadeh, and David Wetherall. "A conundrum of permissions: Installing applications on an android smartphone," In Proceedings of the 16th International Conference on Financial Cryptography and Data Security, FC'12, pages 68-79, Berlin, Heidelberg, 2012. Springer-Verlag.
[11] C. S. Gates, N. Li, H. Peng, B. Sarma, Y. Qi, R. Potharaju, C. Nita-Rotaru, and I. Molloy. "Generating summary risk scores for mobile applications," IEEE Transactions on Dependable and Secure Computing, 11(3):238-251, May 2014.
[12] Ilaria Liccardi, Joseph Pato, and Daniel J. Weitzner. "Improving mobile app selection through transparency and better permission analysis," Journal of Privacy and Confidentiality, 5(2):1-55, 2013.
[13] C. S. Gates, J. Chen, N. Li, and R. W. Proctor. "Effective risk communication for android apps," IEEE Transactions on Dependable and Secure Computing, 11(3):252-265, May 2014.
[14] Jialiu Lin, Shahriyar Amini, Jason I. Hong, Norman Sadeh, Janne Lindqvist, and Joy Zhang. "Expectation and purpose: Understanding users' mental models of mobile app privacy through crowdsourcing," In Proceedings of the 2012 ACM Conference on Ubiquitous Computing, UbiComp '12, pages 501-510, New York, NY, USA, 2012. ACM.
[15] Shi-Cho Cha, Chuang-Ming Shiung, Tzu-Ching Liu, Sih-Cing Syu, Li-Da Chien, and Daniel Tsai. "A novel framework for major stakeholders in android application industry to manage privacy policies of android applications," In Proceedings of the Annual Privacy Forum 2016 (to appear), Frankfurt, Germany, September 7-8, 2016.
[16] Andreas M. Antonopoulos. "Mastering Bitcoin: Unlocking Digital Cryptocurrencies," O'Reilly Media, Inc., 1st edition, 2014.
[17] Satoshi Nakamoto. "Bitcoin: A peer-to-peer electronic cash system," http://bitcoin.org/bitcoin.pdf, 2008.
[18] Alex Biryukov, Dmitry Khovratovich, and Ivan Pustogarov. "Deanonymisation of clients in bitcoin p2p network," In Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security, CCS '14, pages 15-29, New York, NY, USA, 2014. ACM.
[19] US State of California Department of Justice. "Attorney general Kamala D. Harris noties mobile app developers of non-compliance with california privacy law," US California Dept of Justice Press News, Retrieved from https://oag.ca.gov/news/press-releases/attorney-general-kamala-d-harris-noties-mobile-app-developers-non-compliance, 2012.
[20] Office of the Privacy Commissioner of Canada, IPC of Albertaexternal, and IPC for British Columbia. "Seizing opportunity: Good privacy practices for developing mobile apps," OPC Guidance Documents, Retrieved from https://www.priv.gc.ca/information/pub/gd_app_201210_e.asp, 2012.
[21] Deguang Kong, Lei Cen, and Hongxia Jin. "Autoreb: Automatically understanding the review-to-behavior delity in android applications," In Proceedings of the 22Nd ACM SIGSAC Conference on Computer and Communications Security, CCS '15, pages 530-541, New York, NY, USA, 2015. ACM.
[22] Yuan Tian, Bin Liu, Weisi Dai, Blase Ur, Patrick Tague, and Lorrie Faith Cranor. "Supporting privacy-conscious app update decisions with user reviews," In Proceedings of the 5th Annual ACM CCS Workshop on Security and Privacy in Smartphones and Mobile Devices, SPSM '15, pages 51-61, New York, NY, USA, 2015. ACM.
[23] Payment Card Industry (PCI) Security Standards Council, LLC. "Template for report on compliance for use with pci dss v3.1, 2015," PCI Reporting Templates. Retrieved from https://www.pcisecuritystandards.org/documents/PCI_DSS_v3_1_ROC_Reporting_Template.pdf.
[24] Rich Cannings. "Exercising our remote application removal feature," Android Developers Blog, Retrieved from http://android-
developers.blogspot.tw/2010/06/exercising-our-remote-application.html, 2010.