To keep malware out of mobile application(app) markets, existing techniques analyze the security aspects of app behaviors and summarize patterns of these security aspects to determine what apps do. However, malware and benign apps could present the same behaviors(e.g., sending SMS). The difference is that the behaviors of malware are unexpected while the behaviors of benign apps are expected by users. User expectations (reflected via user perception in combination with user judgment) should be incorporated into security analysis to determine whether app behaviors are within user expectations. This presentation presents our recent work on bridging the semantic gap between user perceptions of the app behaviors and the actual app behaviors.