Mobile Privacy

The services offered by mobile apps are useful but these apps can also be privacy invasive, meaning that they compile and share more information than is needed for the task the app performs. For example, researchers at University of California Berkeley analyzed 940 apps and found that one third of them were over privileged, meaning that these apps requested permissions for resources that were far beyond what was required for the functionality of the app. Such over-permissioning creates risk to both user security and privacy. These risks exist even in apps for the most vulnerable users, such as those that are designed for children. Currently, Android and iOS privacy ecosystems are grounded in permissions which control access to sensitive resources. These systems include permission manifests at the time of app selection, resource access warnings at first use, and per-resource controls. Under such permissions models application must explicitly ask users for authorization to access sensitive information. Therefore, in is important that permission requests effectively communicate privacy risk.

We designed a study to evaluate the effectiveness of android permissions requests. Specifically, we tried to understand (1) if users understood the permissions presented to them in the manifest, (2) if additional text warnings describing the permissions requests in aggregate are helpful, (3) if excessive permissions adversely affect app installations, and (4) if the perceive popularity of an application has an impact on installation rates. Our results indicated that majority of the participants were unware of the implications of the permissions presented to them. Participants also ignored both the permissions manifests and the additional textual warning presented. Therefore, there was no statistical difference between the participants with and without textual warnings. The results also showed that the perceived popularity of an application positively influenced user decisions to install the app. Given these results, we wanted to see if the addition of visual indicators would lead participants to pay more attention to the textual warnings. While the visual warnings did have an impact on the participants behavior this behavior was not consistent across groups indicating that more research is needed to evaluate the effectiveness of visual warnings. Link to paper

We learnt from our previous study that permissions manifests were ineffective at communicating privacy risk and that visual indicators for privacy had an effect on users’ behavior. Building upon these findings we wanted to further explore the effectiveness of visual indicators to communicate risk. So we conducted an experiment where we provided users with aggregate risk indicators associated using visual indicators and evaluated their effectiveness. Specifically, we wanted to evaluate the effect of different framing mechanisms and icons on users’ app installation behavior. The results from our experiment showed that when participants were presented with positively framed risk indicators using the padlock icon, they consistently made risk-averse app choices. These results were stronger when the participants were primed for privacy. However, in this experiment priming was done using a questionnaire which is not a practical to implement in real world app stores. Link to paper

Building upon past work in warning research and human-subjects research we decided to use sound notifications to prime users for privacy. The sound notifications were constructed using audio snippets of cheers and jeers. They were played when a person selected an app from the list of apps page and was transitioning to the app description page. The cheers were played when a person selected an app with a high privacy rating and the jeers were played when a person selected an app with low privacy rating. He cheers were a form of positive reinforcement and were intended to encourage people to select more privacy preserving application. The jeers on the other had were intended to warn people about app with a low privacy rating.

To evaluate the proposed sound notifications we conducted a between subjects experiment with one control group and three experimental groups. The results from this experiment showed that participant with both visual indicators for privacy risk and priming though sound notifications made more privacy preserving choices when compared to participants with the control group. The results also showed that participants with just visual indicators or just sound notifications did not consistently make privacy preserving choices in the presence of popular application. This indicates that people are more likely to select apps with a higher privacy rating when presented with both visual indicators and sound notifications. However, a longitudinal study is required to understand the long term effects of sound notifications on users’ decision making. Link to paper

Visual Cue
Figure 1 - Visual cues used to communicate privacy risk


Audio Cues
Figure 2 - Illustration of audio feedback


Simulator
Figure 3 - Screenshot of the PlayStore simulator agumented with privacy rating