An (Un)Necessary Evil - Users’ (Un)Certainty about Smartphone App Permissions and Implications for Privacy Engineering

BONGARD, Kerstin; Sterckx, Jean-Louis; ROSSI, Arianna; DISTLER, Verena; RIVAS, Salvador; KOENIG, Vincent

Download

Paper published in a book (Scientific congresses, symposiums and conference proceedings)

An (Un)Necessary Evil - Users’ (Un)Certainty about Smartphone App Permissions and Implications for Privacy Engineering

BONGARD, Kerstin; Sterckx, Jean-Louis; ROSSI, Arianna et al.

2022 • In 2022 7th IEEE European Symposium on Security and Privacy Workshops (EuroSPW)

Peer reviewed

Permalink
https://hdl.handle.net/10993/51593

Files (1)Send to Details Statistics Bibliography Similar publications

Files

Full Text

An (Un)Necessary Evil - Users' (Un)Certainty About Smartphone App Permissions and Implications for P.pdf

Author postprint (122.29 kB)

Download

All documents in ORBilu are protected by a user license.

Send to

RIS BibTex APA Chicago Permalink X Linkedin

Details

Keywords :

human computer interaction; user interface design; security evaluation

Abstract :

[en] App permission requests are a control mechanism meant to help users oversee and safeguard access to data and resources on their smartphones. To decide whether to accept or deny such requests and make this consent valid, users need to understand the underlying reasons and judge the relevance of disclosing data in line with their own use of an app. This study investigates people’s certainty about app permission requests via an online survey with 400 representative participants of the UK population. The results demonstrate that users are uncertain about the necessity of granting app permissions for about half of the tested permission requests. This implies substantial privacy risks, which are discussed in the paper, resulting in a call for user-protecting interventions by privacy engineers.

Disciplines :

Computer science

Author, co-author :

BONGARD, Kerstin ; University of Luxembourg > Faculty of Humanities, Education and Social Sciences (FHSE) > Department of Behavioural and Cognitive Sciences (DBCS)

Sterckx, Jean-Louis; University of Luxembourg > Department of Behavioural and Cognitive Sciences

ROSSI, Arianna ; University of Luxembourg > Interdisciplinary Centre for Security, Reliability and Trust (SNT) > IRiSC

DISTLER, Verena ; University of Luxembourg > Faculty of Humanities, Education and Social Sciences (FHSE) > Department of Behavioural and Cognitive Sciences (DBCS)

RIVAS, Salvador ; University of Luxembourg > Faculty of Humanities, Education and Social Sciences (FHSE) > LUCET

KOENIG, Vincent ; University of Luxembourg > Faculty of Humanities, Education and Social Sciences (FHSE) > Department of Behavioural and Cognitive Sciences (DBCS)

External co-authors :

Language :

English

Title :

An (Un)Necessary Evil - Users’ (Un)Certainty about Smartphone App Permissions and Implications for Privacy Engineering

Publication date :

2022

Event name :

2022 International Workshop on Privacy Engineering – IWPE'22 CO-LOCATED WITH 7TH IEEE EUROPEAN SYMPOSIUM ON SECURITY AND PRIVACY

Event organizer :

IEEE EuroS&P

Event place :

Genoa, Italy

Event date :

6 June 2022

Audience :

International

Main work title :

2022 7th IEEE European Symposium on Security and Privacy Workshops (EuroSPW)

Publisher :

IEEE

Peer reviewed :

Peer reviewed

FnR Project :

FNR14717072 - Deceptive Patterns Online, 2020 (01/06/2021-31/05/2024) - Gabriele Lenzini

Funders :

FNR - Fonds National de la Recherche

Available on ORBilu :

since 09 July 2022

Statistics

Number of views

284 (27 by Unilu)

Number of downloads

236 (14 by Unilu)

More statistics

Scopus citations^®

Scopus citations^®
without self-citations

Bibliography

Android. (2021) Permissions on android. [Online]. Available: https: //developer. Android. com/guide/topics/permissions/overview
Apple. (2021) Accessing user data and resources. [Online]. Available: https: //developer. Apple. com/design/human-interface-guidelines/ios/app-architecture/ accessing-user-data/
N. Momen, M. Hatamian, and L. Fritsch, "Did app privacy improve after the GDPR" IEEE Security & Privacy, vol. 17, no. 6, p. 10-20, Nov 2019.
Q. Ismail, T. Ahmed, A. Kapadia, and M. K. Reiter, "Crowdsourced Exploration of Security Configurations, " in Proceedings of the 33rd Annual ACM Conference on Human Factors in Computing Systems. Seoul Republic of Korea: ACM, Apr. 2015, pp. 467-476. [Online]. Available: https: //dl. Acm. org/doi/10. 1145/2702123. 2702370
G. A. Akerlof, "The market for "lemons": Quality uncertainty and the market mechanism, " The Quarterly Journal of Economics, vol. 84, no. 3, pp. 488-500, 1970. [Online]. Available: http: //www. jstor. org/stable/1879431
A. Acquisti, I. Adjerid, R. Balebako, L. Brandimarte, L. F. Cranor, S. Komanduri, P. G. Leon, N. Sadeh, F. Schaub, M. Sleeper, Y. Wang, and S. Wilson, "Nudges for privacy and security: Understanding and assisting users' choices online, " ACM Comput. Surv., vol. 50, no. 3, aug 2017. [Online]. Available: https: //doi. org/10. 1145/3054926
A. Acquisti and J. Grossklags, "Privacy and rationality in individual decision making, " Security & Privacy, IEEE, vol. 3, pp. 26-33, 02 2005.
D. Kahneman, Thinking, fast and slow. Macmillan, 2011.
A. Sasse, "Scaring and Bullying People into Security Won't Work, " IEEE Security & Privacy, vol. 13, no. 3, pp. 80-83, May 2015. [Online]. Available: http: //ieeexplore. ieee. org/document/7118083/
P. G. Kelley, S. Consolvo, L. F. Cranor, J. Jung, N. Sadeh, and D. Wetherall, "A Conundrum of Permissions: Installing Applications on an Android Smartphone, " in Financial Cryptography and Data Security. Berlin, Heidelberg: Springer Berlin Heidelberg, 2012, vol. 7398, pp. 68-79, series Title: Lecture Notes in Computer Science. [Online]. Available: http: //link. springer. com/10. 1007/978-3-642-34638-5 6
A. P. Felt, E. Ha, S. Egelman, A. Haney, E. Chin, and D. Wagner, "Android permissions: User attention, comprehension, and behavior, " in Proceedings of the eighth symposium on usable privacy and security, 2012, p. 1-14.
A. Acquisti, H. Heinz, and J. Grossklags, "Uncertainty, ambiguity and privacy, " in 4th Annual Workshop on Economics and Information Security (WEIS 2005), 04 2005.
C. Santos, A. Rossi, L. Sanchez Chamorro, K. Bongard-Blanchy, and R. Abu-Salma, "Cookie banners, what's the purpose analyzing cookie banner text through a legal lens, " in Proceedings of the 20th Workshop on Workshop on Privacy in the Electronic Society, ser. WPES '21. New York, NY, USA: Association for Computing Machinery, 2021, p. 187-194. [Online]. Available: https: //doi-org. proxy. bnl. lu/10. 1145/3463676. 3485611
D. Barrera, H. G. Kayacik, P. C. van Oorschot, and A. Somayaji, "A methodology for empirical analysis of permission-based security models and its application to android, " in Proceedings of the 17th ACM conference on Computer and communications security-CCS '10. ACM Press, 2010, p. 73. [Online]. Available: http: //portal. Acm. org/citation. cfm?doid=1866307. 1866317
M. Hatamian, J. Serna, K. Rannenberg, and B. Igler, "Fair: Fuzzy alarming index rule for privacy analysis in smartphone apps, " in International Conference on Trust and Privacy in Digital Business. Springer, 2017, p. 3-18.
G. Bal and K. Rannenberg, "User control mechanisms for privacy protection should go hand in hand with privacy-consequence information: The case of smartphone apps, " in Proceedings of W3C Workshop on Privacy and User-Centric Controls, 2014, p. 1-5.
Prolific. (2021) Welcome to prolific. [Online]. Available: https: //www. prolific. com/
Apptopia. (2021) Worldwide and us download leaders 2021. [Online]. Available: https: //blog. Apptopia. com/ worldwide-and-us-download-leaders-2021
Google. (2021) Google play apps. [Online]. Available: https: //play. google. com/store/apps
C. Bösch, B. Erb, F. Kargl, H. Kopp, and S. Pfattheicher, "Tales from the dark side: Privacy dark strategies and privacy dark patterns. " Proc. Priv. Enhancing Technol., vol. 2016, no. 4, pp. 237-254, 2016.
A. D. P. W. Party, "Guidelines on transparency under regulation 2016/679, 17/en wp260 rev. 01, " Apr 2018, published: Online at. [Online]. Available: https: //ec. europa. eu/newsroom/article29/ redirection/document/51025
H. Almuhimedi, F. Schaub, N. Sadeh, I. Adjerid, A. Acquisti, J. Gluck, L. F. Cranor, and Y. Agarwal, "Your location has been shared 5, 398 times: A field study on mobile app privacy nudging, " in Proceedings of the 33rd Annual ACM Conference on Human Factors in Computing Systems. ACM, Apr 2015, p. 787-796. [Online]. Available: https: //dl. Acm. org/doi/10. 1145/2702123. 2702210
V. Distler, T. Gutfleisch, C. Lallemand, G. Lenzini, and V. Koenig, "Complex, but in a good way how to represent encryption to nonexperts through text and visuals-evidence from expert co-creation and a vignette experiment, " Computers in Human Behavior Reports, vol. 5, p. 100161, 2022. [Online]. Available: https: //www. sciencedirect. com/science/article/pii/S2451958821001093
C. Santos, A. Rossi, L. Sanchez Chamorro, K. Bongard-Blanchy, and R. Abu-Salma, "Cookie banners, what's the purpose: Analyzing cookie banner text through a legal lens, " in Proceedings of the 20th Workshop on Workshop on Privacy in the Electronic Society. ACM, Nov 2021, p. 187-194. [Online]. Available: https: //dl. Acm. org/doi/10. 1145/3463676. 3485611
F. Schaub, R. Balebako, A. L. Durity, and L. F. Cranor, "A design space for effective privacy notices, " in Eleventh Symposium On Usable Privacy and Security (SOUPS 2015), 2015, p. 1-17.
S. Barth and M. D. de Jong, "The privacy paradox-investigating discrepancies between expressed privacy concerns and actual online behavior-a systematic literature review, " Telematics and Informatics, vol. 34, no. 7, p. 1038-1058, Nov 2017.
V. Distler, C. Lallemand, and V. Koenig, "How acceptable is this how user experience factors can broaden our understanding of the acceptance of privacy trade-offs, " Computers in Human Behavior, vol. 106, p. 106227, 2020. [Online]. Available: https: //www. sciencedirect. com/science/article/pii/S0747563219304467
B. Liu, M. S. Andersen, F. Schaub, H. Almuhimedi, S. A. Zhang, N. Sadeh, Y. Agarwal, and A. Acquisti, "Follow My Recommendations: A Personalized Privacy Assistant for Mobile App Permissions, " in Twelfth Symposium on Usable Privacy and Security (SOUPS 2016). USENIX Association, 2016, pp. 27-41. [Online]. Available: https: //www. usenix. org/conference/soups2016/ technical-sessions/presentation/liu
D. Smullen, Y. Feng, S. Aerin Zhang, and N. Sadeh, "The Best of Both Worlds: Mitigating Trade-offs Between Accuracy and User Burden in Capturing Mobile App Privacy Preferences, " Proceedings on Privacy Enhancing Technologies, vol. 2020, no. 1, pp. 195-215, Jan. 2020. [Online]. Available: https: //www. sciendo. com/article/10. 2478/popets-2020-0011
H. Nissenbaum, "Privacy as contextual integrity, " Washington Law Review, vol. 79, no. 1, p. 119-158, 2004.
K. W. Y. Au, Y. F. Zhou, Z. Huang, and D. Lie, "Pscout: Analyzing the android permission specification, " in Proceedings of the 2012 ACM conference on Computer and communications security-CCS '12. ACM Press, 2012, p. 217. [Online]. Available: http: //dl. Acm. org/citation. cfm?doid=2382196. 2382222
N. Momen, T. Pulls, L. Fritsch, and S. Lindskog, "How much privilege does an app need Investigating resource usage of android apps (short paper), " in 2017 15th Annual Conference on Privacy, Security and Trust (PST), Aug 2017, p. 268-2685.
N. Momen and L. Fritsch, App-generated digital identities extracted through android permission-based data access-a survey of app privacy, ser. Gesellschaft für Informatik. Gesellschaft für Informatik eV, 2020, p. 15-28.
B. Bian, X. Ma, and H. Tang, "The supply and demand for data privacy: Evidence from mobile apps, " Available at SSRN, 2021.
X. Wei, L. Gomez, I. Neamtiu, and M. Faloutsos, "Permission evolution in the android ecosystem, " in Proceedings of the 28th Annual Computer Security Applications Conference on-ACSAC '12. ACM Press, 2012, p. 31. [Online]. Available: http: //dl. Acm. org/citation. cfm?doid=2420950. 2420956
K. Marky, A. Gutmann, P. Rack, and M. Volkamer, "Privacy friendly apps-making developers aware of privacy violations. " in 1st International Workshop on Innovations in Mobile Privacy and Security, IMPS 2016, co-located with the International Symposium on Engineering Secure Software and Systems (ESSoS 2016), 2016, p. 46-48.
M. Green and M. Smith, "Developers are not the enemy: The need for usable security APIs, " IEEE Security & Privacy, vol. 14, no. 5, p. 40-46, 2016.
T. Book, A. Pridgen, and D. S. Wallach, "Longitudinal analysis of android ad library permissions, " arXiv preprint arXiv: 1303. 0857, 2013.
foetusofexcellence on Reddit. (2018) Non-compliance of GDPR law with android permissions system : Android. [Online]. Available: https: //www. reddit. com/r/Android/comments/ 8708vq/noncompliance of gdpr law with android/
A. Claesson and T. E. Bjørstad, "Out of control-a review of data sharing by popular mobile apps, " Jan 2020. [Online]. Available: https: //fil. forbrukerradet. no/wp-content/ uploads/2020/01/mnemonic-security-test-report-v1. 0. pdf
M. Hatamian, "Engineering privacy in smartphone apps: A technical guideline catalog for app developers, " IEEE Access, vol. 8, p. 35429-35445, 2020.
K. Kollnig, R. Binns, M. Van Kleek, U. Lyngs, J. Zhao, C. Tinsman, and N. Shadbolt, "Before and after GDPR: Tracking in mobile apps, " Internet Policy Review, vol. 10, no. 4, Dec 2021, arXiv: 2112. 11117. [Online]. Available: http: //arxiv. org/abs/2112. 11117
Apple. (2021) The apps you love. from a place you can trust. [Online]. Available: https: //www. Apple. com/app-store/
H. A. Simon, "A Behavioral Model of Rational Choice, " The Quarterly Journal of Economics, vol. 69, no. 1, pp. 99-118, 02 1955. [Online]. Available: https: //doi. org/10. 2307/1884852