Abstract
Permission systems control access of mobile applications to other applications, data, and resources on a smartphone. Both from a technical and a social point of view, they are based on the assumption that users actually understand these permissions and hence they can make an informed decision about which permission to grant to which piece of software. Results of a survey conducted for this article seriously challenges this assumption. For instance, over a third of participating Android users were not able to correctly identify the meaning of the permission Full Internet Access. We developed PermissionWatcher, an Android application which provides users with awareness information about other applications and allows to check on the permission set granted to individual applications. In a field study with 1000+ Android users, we collected data that provides evidence that users are willing to follow security principles if security awareness is created and information is presented in a clear and comprehensive way. Therefore, we argue that it is essential for security policies to take the abilities of the target audience into account.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Amer, T.S., Maris, J.B.: Signal words and signal icons in application control and information technology exception messages – hazard matching and habituation effects. Working Paper Series 06-05, Norther Arizona University (2006)
Anderson, J., Bonneau, J., Stajano, F.: Inglorious installers: Security in the application marketplace (2010)
Barrera, D., Kayacik, H.G., van Oorschot, P.C., Somayaji, A.: A methodology for empirical analysis of permission-based security models and its application to android. In: CCS 2010, pp. 73–84. ACM (2010)
Becher, M., Freiling, F.C., Hoffmann, J., Holz, T., Uellenbeck, S., Wolf, C.: Mobile security catching up? revealing the nuts and bolts of the security of mobile devices. In: SP 2011, pp. 96–111. IEEE, Washington, DC (2011)
Egelman, S., Cranor, L.F., Hong, J.I.: You’ve been warned: an empirical study of the effectiveness of web browser phishing warnings. In: CHI 2008, pp. 1065–1074. ACM (2008)
Enck, W., Octeau, D., McDaniel, P., Chaudhuri, S.: A study of android application security. In: 20th USENIX Security Symposium (2011)
Enck, W., Ongtang, M., McDaniel, P.: Mitigating android software misuse before it happens. Technical report, Pennsylvania State University (2008)
Enck, W., Ongtang, M., McDaniel, P.: On lightweight mobile phone application certification. In: CCS 2009, pp. 235–245. ACM, New York (2009)
Enck, W., Ongtang, M., McDaniel, P.: Understanding android security. IEEE Security and Privacy 7, 50–57 (2009)
Felt, A.P., Chin, E., Hanna, S., Song, D., Wagner, D.: Android permissions demystified. In: CCS 2011, pp. 627–638. ACM (2011)
Felt, A.P., Greenwood, K., Wagner, D.: The effectiveness of application permissions. In: WebApps 2011, p. 7. USENIX Association, Berkeley (2011)
Felt, A.P., Ha, E., Egelman, S., Haney, A., Chin, E., Wagner, D.: Android permissions: User attention, comprehension, and behavior. Technical Report UCB/EECS-2012-26, University of California at Berkeley (2012)
Google Inc. Security and permissions (2011), http://developer.android.com/guide/topics/security/security.html (last access June 20, 2012)
Hogben, G., Dekker, M.: Smartphones: Information security risks, opportunities and recommendations for users. Technical report, ENISA (2010)
Li, B., Im, E.G.: Smartphone, promising battlefield for hackers. Journal of Security Engineering 8, 89–110 (2011) ISSN : 1738-7531
Microsoft Corporation. Microsoft security intelligence report, vol. 11 (2011), http://www.microsoft.com/security/sir/default.aspx (last access June 20, 2012)
Schlegel, R., Zhang, K., Zhou, X., Intwala, M., Kapadia, A., Wang, X.: Soundcomber: A stealthy and context-aware sound trojan for smartphones. In: NDSS 2011, San Diego, CA, pp. 17–33 (February 2011)
Shin, W., Kiyomoto, S., Fukushima, K., Tanaka, T.: Towards formal analysis of the permission-based security model for android. In: ICWMC 2009, pp. 87–92. IEEE, Washington, DC (2009)
Shin, W., Kiyomoto, S., Fukushima, K., Tanaka, T.: A formal model to analyze the permission authorization and enforcement in the android framework. In: SOCIALCOM 2010, pp. 944–951. IEEE, Washington, DC (2010)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2012 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Struse, E., Seifert, J., Üllenbeck, S., Rukzio, E., Wolf, C. (2012). PermissionWatcher: Creating User Awareness of Application Permissions in Mobile Systems. In: Paternò, F., de Ruyter, B., Markopoulos, P., Santoro, C., van Loenen, E., Luyten, K. (eds) Ambient Intelligence. AmI 2012. Lecture Notes in Computer Science, vol 7683. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-34898-3_5
Download citation
DOI: https://doi.org/10.1007/978-3-642-34898-3_5
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-34897-6
Online ISBN: 978-3-642-34898-3
eBook Packages: Computer ScienceComputer Science (R0)
