An (Un)Necessary Evil - Users’ (Un)Certainty about Smartphone App Permissions and Implications for Privacy Engineering

BONGARD, Kerstin; Sterckx, Jean-Louis; ROSSI, Arianna; DISTLER, Verena; RIVAS, Salvador; KOENIG, Vincent

Télécharger

Communication publiée dans un ouvrage (Colloques, congrès, conférences scientifiques et actes)

An (Un)Necessary Evil - Users’ (Un)Certainty about Smartphone App Permissions and Implications for Privacy Engineering

BONGARD, Kerstin; Sterckx, Jean-Louis; ROSSI, Arianna et al.

2022 • In 2022 7th IEEE European Symposium on Security and Privacy Workshops (EuroSPW)

Peer reviewed

Permalien
https://hdl.handle.net/10993/51593

Documents (1)Envoyer vers Détails Statistiques Bibliographie Publications similaires

Documents

Texte intégral

An (Un)Necessary Evil - Users' (Un)Certainty About Smartphone App Permissions and Implications for P.pdf

Postprint Auteur (122.29 kB)

Télécharger

Tous les documents dans ORBilu sont protégés par une licence d'utilisation.

Envoyer vers

RIS BibTex APA Chicago Permalink X Linkedin

Détails

Mots-clés :

human computer interaction; user interface design; security evaluation

Résumé :

[en] App permission requests are a control mechanism meant to help users oversee and safeguard access to data and resources on their smartphones. To decide whether to accept or deny such requests and make this consent valid, users need to understand the underlying reasons and judge the relevance of disclosing data in line with their own use of an app. This study investigates people’s certainty about app permission requests via an online survey with 400 representative participants of the UK population. The results demonstrate that users are uncertain about the necessity of granting app permissions for about half of the tested permission requests. This implies substantial privacy risks, which are discussed in the paper, resulting in a call for user-protecting interventions by privacy engineers.

Disciplines :

Sciences informatiques

Auteur, co-auteur :

BONGARD, Kerstin ; University of Luxembourg > Faculty of Humanities, Education and Social Sciences (FHSE) > Department of Behavioural and Cognitive Sciences (DBCS)

Sterckx, Jean-Louis; University of Luxembourg > Department of Behavioural and Cognitive Sciences

ROSSI, Arianna ; University of Luxembourg > Interdisciplinary Centre for Security, Reliability and Trust (SNT) > IRiSC

DISTLER, Verena ; University of Luxembourg > Faculty of Humanities, Education and Social Sciences (FHSE) > Department of Behavioural and Cognitive Sciences (DBCS)

RIVAS, Salvador ; University of Luxembourg > Faculty of Humanities, Education and Social Sciences (FHSE) > LUCET

KOENIG, Vincent ; University of Luxembourg > Faculty of Humanities, Education and Social Sciences (FHSE) > Department of Behavioural and Cognitive Sciences (DBCS)

Co-auteurs externes :

Langue du document :

Anglais

Titre :

An (Un)Necessary Evil - Users’ (Un)Certainty about Smartphone App Permissions and Implications for Privacy Engineering

Date de publication/diffusion :

2022

Nom de la manifestation :

2022 International Workshop on Privacy Engineering – IWPE'22 CO-LOCATED WITH 7TH IEEE EUROPEAN SYMPOSIUM ON SECURITY AND PRIVACY

Organisateur de la manifestation :

IEEE EuroS&P

Lieu de la manifestation :

Genoa, Italie

Date de la manifestation :

6 June 2022

Manifestation à portée :

International

Titre de l'ouvrage principal :

2022 7th IEEE European Symposium on Security and Privacy Workshops (EuroSPW)

Maison d'édition :

IEEE

Peer reviewed :

Peer reviewed

Projet FnR :

FNR14717072 - Deceptive Patterns Online, 2020 (01/06/2021-31/05/2024) - Gabriele Lenzini

Organisme subsidiant :

FNR - Fonds National de la Recherche

Disponible sur ORBilu :

depuis le 09 juillet 2022

Statistiques

Nombre de vues

284 (dont 27 Unilu)

Nombre de téléchargements

237 (dont 14 Unilu)

Voir plus de statistiques

citations Scopus^®

citations Scopus^®
sans auto-citations

Bibliographie

Android. (2021) Permissions on android. [Online]. Available: https: //developer. Android. com/guide/topics/permissions/overview
Apple. (2021) Accessing user data and resources. [Online]. Available: https: //developer. Apple. com/design/human-interface-guidelines/ios/app-architecture/ accessing-user-data/
N. Momen, M. Hatamian, and L. Fritsch, "Did app privacy improve after the GDPR" IEEE Security & Privacy, vol. 17, no. 6, p. 10-20, Nov 2019.
Q. Ismail, T. Ahmed, A. Kapadia, and M. K. Reiter, "Crowdsourced Exploration of Security Configurations, " in Proceedings of the 33rd Annual ACM Conference on Human Factors in Computing Systems. Seoul Republic of Korea: ACM, Apr. 2015, pp. 467-476. [Online]. Available: https: //dl. Acm. org/doi/10. 1145/2702123. 2702370
G. A. Akerlof, "The market for "lemons": Quality uncertainty and the market mechanism, " The Quarterly Journal of Economics, vol. 84, no. 3, pp. 488-500, 1970. [Online]. Available: http: //www. jstor. org/stable/1879431
A. Acquisti, I. Adjerid, R. Balebako, L. Brandimarte, L. F. Cranor, S. Komanduri, P. G. Leon, N. Sadeh, F. Schaub, M. Sleeper, Y. Wang, and S. Wilson, "Nudges for privacy and security: Understanding and assisting users' choices online, " ACM Comput. Surv., vol. 50, no. 3, aug 2017. [Online]. Available: https: //doi. org/10. 1145/3054926
A. Acquisti and J. Grossklags, "Privacy and rationality in individual decision making, " Security & Privacy, IEEE, vol. 3, pp. 26-33, 02 2005.
D. Kahneman, Thinking, fast and slow. Macmillan, 2011.
A. Sasse, "Scaring and Bullying People into Security Won't Work, " IEEE Security & Privacy, vol. 13, no. 3, pp. 80-83, May 2015. [Online]. Available: http: //ieeexplore. ieee. org/document/7118083/
P. G. Kelley, S. Consolvo, L. F. Cranor, J. Jung, N. Sadeh, and D. Wetherall, "A Conundrum of Permissions: Installing Applications on an Android Smartphone, " in Financial Cryptography and Data Security. Berlin, Heidelberg: Springer Berlin Heidelberg, 2012, vol. 7398, pp. 68-79, series Title: Lecture Notes in Computer Science. [Online]. Available: http: //link. springer. com/10. 1007/978-3-642-34638-5 6
A. P. Felt, E. Ha, S. Egelman, A. Haney, E. Chin, and D. Wagner, "Android permissions: User attention, comprehension, and behavior, " in Proceedings of the eighth symposium on usable privacy and security, 2012, p. 1-14.
A. Acquisti, H. Heinz, and J. Grossklags, "Uncertainty, ambiguity and privacy, " in 4th Annual Workshop on Economics and Information Security (WEIS 2005), 04 2005.
C. Santos, A. Rossi, L. Sanchez Chamorro, K. Bongard-Blanchy, and R. Abu-Salma, "Cookie banners, what's the purpose analyzing cookie banner text through a legal lens, " in Proceedings of the 20th Workshop on Workshop on Privacy in the Electronic Society, ser. WPES '21. New York, NY, USA: Association for Computing Machinery, 2021, p. 187-194. [Online]. Available: https: //doi-org. proxy. bnl. lu/10. 1145/3463676. 3485611
D. Barrera, H. G. Kayacik, P. C. van Oorschot, and A. Somayaji, "A methodology for empirical analysis of permission-based security models and its application to android, " in Proceedings of the 17th ACM conference on Computer and communications security-CCS '10. ACM Press, 2010, p. 73. [Online]. Available: http: //portal. Acm. org/citation. cfm?doid=1866307. 1866317
M. Hatamian, J. Serna, K. Rannenberg, and B. Igler, "Fair: Fuzzy alarming index rule for privacy analysis in smartphone apps, " in International Conference on Trust and Privacy in Digital Business. Springer, 2017, p. 3-18.
G. Bal and K. Rannenberg, "User control mechanisms for privacy protection should go hand in hand with privacy-consequence information: The case of smartphone apps, " in Proceedings of W3C Workshop on Privacy and User-Centric Controls, 2014, p. 1-5.
Prolific. (2021) Welcome to prolific. [Online]. Available: https: //www. prolific. com/
Apptopia. (2021) Worldwide and us download leaders 2021. [Online]. Available: https: //blog. Apptopia. com/ worldwide-and-us-download-leaders-2021
Google. (2021) Google play apps. [Online]. Available: https: //play. google. com/store/apps
C. Bösch, B. Erb, F. Kargl, H. Kopp, and S. Pfattheicher, "Tales from the dark side: Privacy dark strategies and privacy dark patterns. " Proc. Priv. Enhancing Technol., vol. 2016, no. 4, pp. 237-254, 2016.
A. D. P. W. Party, "Guidelines on transparency under regulation 2016/679, 17/en wp260 rev. 01, " Apr 2018, published: Online at. [Online]. Available: https: //ec. europa. eu/newsroom/article29/ redirection/document/51025
H. Almuhimedi, F. Schaub, N. Sadeh, I. Adjerid, A. Acquisti, J. Gluck, L. F. Cranor, and Y. Agarwal, "Your location has been shared 5, 398 times: A field study on mobile app privacy nudging, " in Proceedings of the 33rd Annual ACM Conference on Human Factors in Computing Systems. ACM, Apr 2015, p. 787-796. [Online]. Available: https: //dl. Acm. org/doi/10. 1145/2702123. 2702210
V. Distler, T. Gutfleisch, C. Lallemand, G. Lenzini, and V. Koenig, "Complex, but in a good way how to represent encryption to nonexperts through text and visuals-evidence from expert co-creation and a vignette experiment, " Computers in Human Behavior Reports, vol. 5, p. 100161, 2022. [Online]. Available: https: //www. sciencedirect. com/science/article/pii/S2451958821001093
C. Santos, A. Rossi, L. Sanchez Chamorro, K. Bongard-Blanchy, and R. Abu-Salma, "Cookie banners, what's the purpose: Analyzing cookie banner text through a legal lens, " in Proceedings of the 20th Workshop on Workshop on Privacy in the Electronic Society. ACM, Nov 2021, p. 187-194. [Online]. Available: https: //dl. Acm. org/doi/10. 1145/3463676. 3485611
F. Schaub, R. Balebako, A. L. Durity, and L. F. Cranor, "A design space for effective privacy notices, " in Eleventh Symposium On Usable Privacy and Security (SOUPS 2015), 2015, p. 1-17.
S. Barth and M. D. de Jong, "The privacy paradox-investigating discrepancies between expressed privacy concerns and actual online behavior-a systematic literature review, " Telematics and Informatics, vol. 34, no. 7, p. 1038-1058, Nov 2017.
V. Distler, C. Lallemand, and V. Koenig, "How acceptable is this how user experience factors can broaden our understanding of the acceptance of privacy trade-offs, " Computers in Human Behavior, vol. 106, p. 106227, 2020. [Online]. Available: https: //www. sciencedirect. com/science/article/pii/S0747563219304467
B. Liu, M. S. Andersen, F. Schaub, H. Almuhimedi, S. A. Zhang, N. Sadeh, Y. Agarwal, and A. Acquisti, "Follow My Recommendations: A Personalized Privacy Assistant for Mobile App Permissions, " in Twelfth Symposium on Usable Privacy and Security (SOUPS 2016). USENIX Association, 2016, pp. 27-41. [Online]. Available: https: //www. usenix. org/conference/soups2016/ technical-sessions/presentation/liu
D. Smullen, Y. Feng, S. Aerin Zhang, and N. Sadeh, "The Best of Both Worlds: Mitigating Trade-offs Between Accuracy and User Burden in Capturing Mobile App Privacy Preferences, " Proceedings on Privacy Enhancing Technologies, vol. 2020, no. 1, pp. 195-215, Jan. 2020. [Online]. Available: https: //www. sciendo. com/article/10. 2478/popets-2020-0011
H. Nissenbaum, "Privacy as contextual integrity, " Washington Law Review, vol. 79, no. 1, p. 119-158, 2004.
K. W. Y. Au, Y. F. Zhou, Z. Huang, and D. Lie, "Pscout: Analyzing the android permission specification, " in Proceedings of the 2012 ACM conference on Computer and communications security-CCS '12. ACM Press, 2012, p. 217. [Online]. Available: http: //dl. Acm. org/citation. cfm?doid=2382196. 2382222
N. Momen, T. Pulls, L. Fritsch, and S. Lindskog, "How much privilege does an app need Investigating resource usage of android apps (short paper), " in 2017 15th Annual Conference on Privacy, Security and Trust (PST), Aug 2017, p. 268-2685.
N. Momen and L. Fritsch, App-generated digital identities extracted through android permission-based data access-a survey of app privacy, ser. Gesellschaft für Informatik. Gesellschaft für Informatik eV, 2020, p. 15-28.
B. Bian, X. Ma, and H. Tang, "The supply and demand for data privacy: Evidence from mobile apps, " Available at SSRN, 2021.
X. Wei, L. Gomez, I. Neamtiu, and M. Faloutsos, "Permission evolution in the android ecosystem, " in Proceedings of the 28th Annual Computer Security Applications Conference on-ACSAC '12. ACM Press, 2012, p. 31. [Online]. Available: http: //dl. Acm. org/citation. cfm?doid=2420950. 2420956
K. Marky, A. Gutmann, P. Rack, and M. Volkamer, "Privacy friendly apps-making developers aware of privacy violations. " in 1st International Workshop on Innovations in Mobile Privacy and Security, IMPS 2016, co-located with the International Symposium on Engineering Secure Software and Systems (ESSoS 2016), 2016, p. 46-48.
M. Green and M. Smith, "Developers are not the enemy: The need for usable security APIs, " IEEE Security & Privacy, vol. 14, no. 5, p. 40-46, 2016.
T. Book, A. Pridgen, and D. S. Wallach, "Longitudinal analysis of android ad library permissions, " arXiv preprint arXiv: 1303. 0857, 2013.
foetusofexcellence on Reddit. (2018) Non-compliance of GDPR law with android permissions system : Android. [Online]. Available: https: //www. reddit. com/r/Android/comments/ 8708vq/noncompliance of gdpr law with android/
A. Claesson and T. E. Bjørstad, "Out of control-a review of data sharing by popular mobile apps, " Jan 2020. [Online]. Available: https: //fil. forbrukerradet. no/wp-content/ uploads/2020/01/mnemonic-security-test-report-v1. 0. pdf
M. Hatamian, "Engineering privacy in smartphone apps: A technical guideline catalog for app developers, " IEEE Access, vol. 8, p. 35429-35445, 2020.
K. Kollnig, R. Binns, M. Van Kleek, U. Lyngs, J. Zhao, C. Tinsman, and N. Shadbolt, "Before and after GDPR: Tracking in mobile apps, " Internet Policy Review, vol. 10, no. 4, Dec 2021, arXiv: 2112. 11117. [Online]. Available: http: //arxiv. org/abs/2112. 11117
Apple. (2021) The apps you love. from a place you can trust. [Online]. Available: https: //www. Apple. com/app-store/
H. A. Simon, "A Behavioral Model of Rational Choice, " The Quarterly Journal of Economics, vol. 69, no. 1, pp. 99-118, 02 1955. [Online]. Available: https: //doi. org/10. 2307/1884852