Android apps can potentially access a wide variety of sensitive resources such as location, camera, microphone, contacts, and more. To protect access to such sensitive resources, Android includes a permission system in which users can grant and deny access to certain sensitive resources on a per-app basis. In this talk, I will discuss the evolution of Android’s permission system, some limitations as it stands today, and some of the issues with using permissions to enforce security policies. Then I will give an overview of recent work studying user expectations of how user interactions might convey authorization in Android, and developing auditing mechanisms to check those expectations.