This paper investigates Android's application permission system and finds that many Android applications are overprivileged. The authors developed Stowaway, a tool that detects overprivilege in compiled Android applications. Stowaway analyzes API calls, Content Providers, and Intents to determine the permissions required for each operation. The tool was applied to 940 Android applications, and about one-third were found to be overprivileged. The overprivileged applications generally request few extra privileges, with more than half only containing one extra permission. The authors investigate the causes of overprivilege and find that many developer errors stem from confusion about the permission system. They also identify 6 errors in the Android permission documentation. The results indicate that developers are trying to follow least privilege, which supports the potential effectiveness of install-time permission systems like Android's. The paper also discusses the Android permission system, including how permissions are enforced, how Content Providers and Intents are protected, and how the Android API is structured. The authors also describe their testing methodology, including the use of automated testing techniques to determine Android's access control policy. The results show that Android's documentation is incomplete, and the authors' testing reveals permission requirements for 1,259 methods, a sixteen-fold improvement over the documentation. The paper concludes that developers are trying to follow least privilege, and that install-time permission systems like Android's have the potential to be effective.This paper investigates Android's application permission system and finds that many Android applications are overprivileged. The authors developed Stowaway, a tool that detects overprivilege in compiled Android applications. Stowaway analyzes API calls, Content Providers, and Intents to determine the permissions required for each operation. The tool was applied to 940 Android applications, and about one-third were found to be overprivileged. The overprivileged applications generally request few extra privileges, with more than half only containing one extra permission. The authors investigate the causes of overprivilege and find that many developer errors stem from confusion about the permission system. They also identify 6 errors in the Android permission documentation. The results indicate that developers are trying to follow least privilege, which supports the potential effectiveness of install-time permission systems like Android's. The paper also discusses the Android permission system, including how permissions are enforced, how Content Providers and Intents are protected, and how the Android API is structured. The authors also describe their testing methodology, including the use of automated testing techniques to determine Android's access control policy. The results show that Android's documentation is incomplete, and the authors' testing reveals permission requirements for 1,259 methods, a sixteen-fold improvement over the documentation. The paper concludes that developers are trying to follow least privilege, and that install-time permission systems like Android's have the potential to be effective.