ACONUNDRUMOFPERMISSIONSINSTALLINGAPPLICATIONSONANANDROIDSMARTPHONEBYPATRICKGAGEKELLEYDECEMBER2011EACHTIMEAUSERINSTALLSANAPPLICATIONONTHEIRANDROIDPHONETHEYAREPRESENTEDWITHAFULLSCREENOFINFORMATIONDESCRIBINGWHATACCESSTHEYWILLBEGRANTINGTHATAPPLICATIONTHISINFORMATIONISINTENDEDTOHELPTHEMMAKETWOCHOICESWHETHERORNOTTHEYTRUSTTHATTHEAPPLICATIONWILLNOTDAMAGETHESECURITYOFTHEIRDEVICEANDWHETHERORNOTTHEYAREWILLINGTOSHARETHEIRINFORMATIONWITHTHEAPPLICATION,DEVELOPER,ANDPARTNERSINQUESTIONWEPERFORMEDASERIESOFSEMISTRUCTUREDINTERVIEWSINTWOCITIESTODETERMINEWHETHERPEOPLEREADANDUNDERSTANDTHESEPERMISSIONSSCREENS,ANDTOBETTERUNDERSTANDHOWPEOPLEPERCEIVETHEIMPLICATIONSOFTHESEDECISIONSWEFINDTHATTHEPERMISSIONSDISPLAYSAREGENERALLYVIEWEDANDREAD,BUTNOTUNDERSTOODBYANDROIDUSERSALARMINGLY,WEFINDTHATPEOPLEAREUNAWAREOFTHESECURITYRISKSASSOCIATEDWITHMOBILEAPPSANDBELIEVETHATAPPMARKETPLACESTESTANDREJECTAPPLICATIONSINSUM,USERSARENOTCURRENTLYWELLPREPAREDTOMAKEINFORMEDPRIVACYANDSECURITYDECISIONSAROUNDINSTALLINGAPPLICATIONSKEYWORDSPRIVACY,SECURITY,ANDROID,APPLICATIONS,SMARTPHONE,PERMISSION,INFORMATIONDESIGN1INTRODUCTIONSINCETHELAUNCHOFTHEFIRSTANDROIDPHONEINOCTOBER2008THERISEOFTHEPLATFORMHASBEENMETEORICANDROIDPHONESACCOUNTEDFOROVERHALFOFALLSMARTPHONESALESASOFQ32011WITHEACHSMARTPHONESOLD,MOREUSERSAREDOWNLOADINGAPPLICATIONSFROMTHEANDROIDMARKETASOFMAY20116,GOOGLEREPORTEDTHATOVER200,000APPLICATIONSWEREAVAILABLEINTHEANDROIDMARKETANDTHATTHOSEAPPLICATIONSHADBEENINSTALLED45BILLIONTIMESINTOTAL2APPLICATIONSARENOTPRESCREENEDINSTEADUSERSAREGIVENTHEOPPORTUNITYTODECIDEWHICHSOFTWARETOINSTALLONTHEIRPHONEANDROIDAPPRATINGANDRECOMMENDATIONSITEAPPBRAINREPORTSTHATTHEREARENOW310,000APPLICATIONSINTHEANDROIDMARKETANDTHAT33PERCENTOFTHOSEARERATEDAT“LOWQUALITY“ADDITIONALLY,ACCORDINGTOA2011JUNIPERNETWORKSREPORT,ANDFOLLOWUPPRESSRELEASE,THEYFOUND“A472INCREASEINANDROIDMALWARESAMPLESSINCEJULY2011TONOVEMBER2011”8SIMILARSTUDIESFROMMCAFEE11,KASPERSKYLAB12,ANDSYMANTECAREALLREPORTINGCONTINUEDEXPLOITSJUNIPERATTRIBUTESTHISRISETOTHEEASEOFPOSTINGANDROIDAPPLICATIONSTOTHEMARKET,ASTHEYSTATE“ALLYOUNEEDISADEVELOPERACCOUNTTHATISRELATIVELYEASYTOANONYMIZE,25ANDYOUCANPOSTYOURAPPLICATIONSWITHNOUPFRONTREVIEWPROCESS,NOONEISCHECKINGTOSEETHATYOURAPPLICATIONDOESWHATITSAYS”WHILESOMEBELIEVETHISOPENNESSISHARMFULTOUSERS,GOOGLEHASPROMOTEDITINONEOFGOOGLESMANYTRIBUTESTOOPENNESS,SENIORVICEPRESIDENTOFPRODUCTMANAGEMENT,JONATHANROSENBERGWROTE,“ATGOOGLEWEBELIEVETHATOPENSYSTEMSWINTHEYLEADTOMOREINNOVATION,VALUE,ANDFREEDOMOFCHOICEFORCONSUMMERS,ANDAVIBRANT,PROFITABLE,ANDCOMPETITIVEECOSYSTEMFORBUSINESSES”13ASSUCH,THEREHASBEENNOCERTIFICATIONPROCESSFORANDROIDDEVELOPERSORPREREVIEWOFAPPLICATIONSBEFORETHEYENTERTHEANDROIDMARKET,THOUGHAPPLICATIONSREPORTEDASMALICIOUSHAVEBEENLATERREMOVEDTHEMARKETREQUIRESUSERSTOMAKETWOCHOICESWHENREVIEWINGPOTENTIALAPPLICATIONSFORTHEIRDEVICE1DOIBELIEVETHISAPPLICATIONWILLCOMPROMISETHESECURITYANDFUNCTIONOFMYPHONEIFIINSTALLIT2DOITRUSTTHISDEVELOPERANDTHEIRPARTNERSWITHACCESSTOMYPERSONALINFORMATIONTHISLEAVESUSERSLEFTTOLEVERAGEWORDOFMOUTH,MARKETREVIEWSANDRATINGS,ANDTHEANDROIDPERMISSIONSDISPLAYTOASSISTUSERSINMAKINGDECISIONSTHATPROTECTTHEIRMOBILEPRIVACYANDSECURITYWECONDUCTEDASERIESOF20SEMISTRUCTUREDINTERVIEWSTOBETTERUNDERSTANDHOWUSERSNAVIGATETHEANDROIDMARKET,INSTALLANDUSETHIRDPARTYAPPLICATIONS,ANDCOMPREHENDTHEDECISIONSTHEYMAKEATINSTALLTIMEINTHEREMAINDEROFTHISPAPERWEWILLDETAILRELATEDWORKONUSERSUNDERSTANDINGOFPRIVACYANDACCESSCONTROLCONCEPTSASWELLASTHECURRENTSTATEOFANDROIDSECURITY/PERMISSIONS,OURINTERVIEWMETHODOLOGY,THEDEMOGRAPHICSANDEXPERTISEOFOURPARTICIPANTS,ANDFINALLYACOLLECTIONOFPARTICIPANTRESPONSESTHATQUALITATIVELYDETAILTHEIRABILITYTOMAKEDECISIONSINTHEANDROIDECOSYSTEM2RELATEDWORKWHILEANDROIDHASONLYEXISTEDPUBLICLYSINCE2008,ASIGNIFICANTAMOUNTOFWORKHASBEENCONDUCTEDONSTUDYINGTHEANDROIDPERMISSIONS/SECURITYMODELMUCHOFTHISWORKFOCUSESONCREATINGTHEORETICALFORMALIZATIONSOFHOWANDROIDSECURITYWORKSORPRESENTSIMPROVEMENTSTOTHESYSTEMSECURITY,ANDISLARGELYOUTOFSCOPEEYCKWORKWITHTAINTDROIDHASBRIDGEDTHEGAPBETWEENSYSTEMSECURITYANDUSERFACINGPERMISSIONS,FOCUSINGONANALYZINGWHICHAPPLICATIONSAREREQUESTINGINFORMATIONTHROUGHPERMISSIONSANDTHENSENDINGTHATDATAOFFPHONE4FOLLOWUPWORKBYHORNYACKETALDETAILEDAMETHODFORINTERCEPTINGTHESELEAKEDTRANSMISSIONSANDREPLACINGTHEMWITHNONSENSITIVEINFORMATION7THISFUNCTIONALITYWOULDALLOWUSERSPOSTINSTALLATIONPRIVACYCONTROLINTHEIRINVESTIGATIONTHEYDETAILEDTHECURRENTPERMISSIONREQUESTSOFTHETOP1100APPLICATIONSINTHEANDROIDMARKETASOFNOVEMBER2010HOWEVER,OURWORK,WHICHTESTSUSERSUNDERSTANDINGSOFTHEMOSTCOMMONOFTHESEPERMISSIONS,FINDSUSERSHAVEGREATDIFFICULTYUNDERSTANDINGTHEMEANINGOFTHESETERMSTHUS,GIVINGUSERSTHEABILITYTOLIMITONACASEBYCASEBASISWOULDLIKELYBEINEFFECTIVEWITHOUTASSISTANCEWORKBYVIDAHASALSOSTUDIEDHOWAPPLICATIONSREQUESTPERMISSIONS,FINDINGPREVALENT“PERMISSIONSCREEP,”DUETO“EXISTINGDEVELOPERAPISWHICHMAKEITDIFFICULTFORDEVELOPERSTOALIGNTHEIRPERMISSIONREQUESTSWITHAPPLICATIONFUNCTIONALITY”15FELTINTHEIRANDROIDPERMISSIONSDEMYSTIFIEDWORK,ATTEMPTTOFURTHEREXPLAINPERMISSIONSTODEVELOPERS5HOWEVER,NEITHEROFTHESEPAPERSEXPLORESENDUSERSUNDERSTANDINGOFPERMISSIONSINOUROWNWORKWEFINDUSERSATTEMPTTORATIONALIZEWHYAPPLICATIONSREQUESTSPECIFICPERMISSIONS,TRYINGTOUNDERSTANDTHEDEVELOPERSDECISIONS,EVENIFTHEIRUNDERSTANDINGOFTHESEREQUESTSISFLAWEDOTHERSWHOHAVELOOKEDATANDROIDPERMISSIONSHAVEATTEMPTEDTOCLUSTERAPPLICATIONSTHATREQUIRESIMILARPERMISSIONSTOSIMPLIFYTHECURRENTSCHEME3ORHAVEATTEMPTEDACOMPARISONOFMODERNSMARTPHONEPERMISSIONSYSTEMS1THEIRWORKFINDSTHATANDROIDPERMISSIONSPROVIDETHEMOSTINFORMATIONTOUSERS,HOWEVEROURINTERVIEWSSHOWTHATMUCHOFTHEINFORMATIONPROVIDEDISNOTUNDERSTOODRESEARCHINPRIVACYPOLICIES,FINANCIALPRIVACYNOTICES,ANDACCESSCONTROLHAVEALLSIMILARLYSHOWNTHATPRIVACYRELATEDCONCEPTSANDTERMSAREOFTENNOTWELLUNDERSTOODBYUSERSEXPECTEDTOMAKEPRIVACYDECISIONS9,10,14OUREARLIERWORKSPECIFICALLYINVESTIGATEDHOWTHEINFORMATIONDISPLAYOFPRIVACYPOLICIESCOULDINFLUENCEUNDERSTANDING,FOCUSINGONSTANDARDIZEDFORMATS,TERMS,ANDDEFINITIONSWHILETHEANDROIDECOSYSTEMUSESASTANDARDFORMATANDTERMS,CLEARDEFINITIONSARENOTREADILYAVAILABLETOUSERS3ANDROIDPERMISSIONSANDDISPLAYANDROIDAPPPERMISSIONSAREDISPLAYEDTOUSERSATTHETIMETHEYDECIDETOINSTALLANYTHIRDPARTYAPPTHROUGHTHEANDROIDMARKETONTHEWEBORONTHEPHONEAPPSDOWNLOADEDFROMTHIRDPARTYAPPSTORESDONOTNECESSARILYSHOWFULLPERMISSIONSONTHEIRWEBSITES,HOWEVERUPONINSTALLINGTHEAPPLICATIONPACKAGEAPKTHEUSERISPRESENTEDWITHAPERMISSIONSSCREENVARIANTPERMISSIONSARESHOWNWITHINTHEANDROIDMARKETASDETAILEDINTHEFOLLOWINGDIAGRAM,FIGURE1AUSERBROWSESAPPLICATIONSUSINGTHEVIEWSHOWNINSCREEN1HERETHEREISATRUNCATEDDESCRIPTION,INFORMATIONABOUTRATINGS,REVIEWS,SCREENSHOTS,ETCIFAUSERDECIDESTOINSTALLTHEYCLICKTHEBUTTONLABELEDWITHTHEPRICEOFTHEAPPLICATION,HEREFREETHISBRINGSTHEMTOSCREEN2,FIG1THEFIGUREABOVESHOWSTHEWORKFLOWFORINSTALLINGAPPLICATIONSANDVIEWINGAPPLICATIONPERMISSIONSSCREEN1SHOWSTHEAMAZONKINDLEAPPLICATIONASDISPLAYEDINTHEANDROIDMARKETIFAUSERWERETOCLICK”FREE,”CIRCLEDINRED,THEYARESHOWNSCREEN2,WHICHALLOWSTHEMTOACCEPTPERMISSIONSANDINSTALLTHEAPPLICATION,ORTOCLICKTHE”SHOW”BUTTONWHICHLEADSTHEUSERTOSCREENS3AND4WHERETHEYAREGIVENASHORTLISTOFPERMISSIONSIFUSERSDOUBLETAPTHEFREEBUTTONONSCREEN1,THEYSKIPSCREEN2ANDESSENTIALLYAPPROVETHEPERMISSIONSWITHOUTREADINGTHOUGHSCREEN2SERVESTHESOLEPURPOSEOFANINTERSTITIALPERMISSIONSDISPLAYBETWEENTHEMARKETANDAPURCHASEDECISION,THECOMPLETELISTOFPERMISSIONSISNOTDISPLAYEDTOEXPLORETHEFULLPERMISSIONREQUESTTHEYWOULDCLICKTHEMOREEXPANDER,BRINGINGTHEMTOSCREEN3HERETHEYWOULDSEEAMORECOMPLETELISTOFPERMISSIONSWITHSOMEPERMISSIONSHOWNINREDANDASHOWALLBUTTON,WHICHDISPLAYSTHEENTIRELISTIFTOGGLEDATNOPOINTINTHISPROCESSISTHEREANEXPLICITWAYFORUSERSTOCANCELTHEONLYWAYFORUSERSTONOTINSTALLTHEAPPLICATIONAFTERVIEWINGTHEPERMISSIONSISTOUSETHEPHYSICALBACKORHOMEBUTTONSONTHEIRPHONETHEDEFAULTPERMISSIONSANDGROUPSINTHEANDROIDSDKAREDETAILEDATANDROIDSDEVELOPERSITETHEHUMANREADABLETERMSARENOTINCLUDEDINTHEANDROIDDOCUMENTATION4METHODOLOGYTOREACHADEEPERANDMORENUANCEDUNDERSTANDINGOFHOWPEOPLENAVIGATETHECURRENTANDROIDECOSYSTEM,WECONDUCTEDSEMISTRUCTUREDINTERVIEWSINSUMMER2011WITH20PARTICIPANTSFROMPITTSBURGHANDSEATTLETHEINTERVIEWSWEREEXPLORATORYINNATURE,SEEKINGBROADUNDERSTANDINGOFPARTICIPANTSINTERACTIONSWITHTHEIRSMARTPHONESASWELLASDIVINGDEEPLYINTOISSUESSURROUNDINGTHEDISPLAYOFPERMISSIONS,THESAFETYOFTHEANDROIDMARKET,ANDPOSSIBLEHARMSOFINFORMATIONSHARINGWERECRUITEDPARTICIPANTSTHROUGHFLAYERSAROUNDEACHCITYANDLOCALCRAIGSLISTPOSTINGSEACHCANDIDATEFILLEDOUTASHORTPRESURVEYONLINEBEFORETHEINTERVIEW,WHICHALLOWEDUSTOCONFIRMTHEYDIDUSEANANDROIDENABLEDSMARTPHONETHOSEPARTICIPANTSWHOOPTEDINTOTHESUBSEQUENTINTERVIEWARRIVEDATOURLABSANDCOMPLETEDOURCONSENTFORMALLOWINGUSTOMAKEANAUDIORECORDINGOFTHEIRINTERVIEWFOLLOWINGTHEINTERVIEWPARTICIPANTSWEREGIVENTHEOPPORTUNITYTOOPTINTOSHARETHEIRAPPLICATIONINFORMATIONWITHUS,COLLECTEDTHROUGHASCRIPTRUNNINGONALOCALLAPTOP,WHICHWECONNECTEDTHEIRPHONETOVIAUSBWHILETHEYWATCHEDPARTICIPANTSQUOTESTHROUGHOUTTHEREMAINDEROFTHEPAPERARETAKENFROMTRANSCRIPTIONSMADEFROMTHEAUDIORECORDINGSOFTHEINTERVIEWSPARTICIPANTSWEREPAID20FORSUCCESSFULCOMPLETIONOFTHEINTERVIEW,INTHEFORMOFTHEIRCHOICESOFTARGET,STARBUCKS,ORBARNESITSAWAYTOPROTECTYOURSELFIGUESSCALLMEPARANOID”SOMEPARTICIPANTSSTATEDTHATTHEYWERENOTSUREHOWTRUSTWORTHYTHEPERMISSIONSDISPLAYWASONESAIDOFIT,“ISITAREQUIREMENTTOBEONTHERETHEMARKETTHATTHESOFTWARETELLSYOUWHATITISACCESSINGARETHEYREQUIREDTONOTIFYMEORNOT,IDONTKNOW”UNFORTUNATELY,MOSTPARTICIPANTSDONOTBELIEVETHEYUNDERSTANDTHETERMSUSEDANDHAVENOTGONEOUTOFTHEIRWAYTOLEARNWHATTHEYMEANWESHOWEDALISTOFTENPERMISSIONSWITHTHEPERMISSIONGROUPLABEL,INTHEFASHIONTHEYWOULDBESHOWNINTHEPERMISSIONSDISPLAY,TOEACHUSERANDASKEDTHEMTOEXPLAINTOUSTHEIRUNDERSTANDINGOFEACHTERMPARTICIPANTSREACTEDTOTHISTASKWITHCONSTERNATIONHEREWEPRESENTASELECTIONOFCOMMON,SURPRISING,ANDSTRAINEDRESPONSESTHATWERECEIVEDONSIXOFTHETENTERMSWETESTEDNETWORKCOMMUNICATIONFULLINTERNETACCESSOFTHE1100APPLICATIONSREPORTEDONINHORNYACKSWORK7,FULLINTERNETACCESSISBYFARTHEMOSTREQUESTEDPERMISSION,REQUESTEDBY941OFTHE1100APPLICATIONS,OR855OFTHOSESURVEYEDOURPARTICIPANTSWEREAWAREOFWHATTHEINTERNETISANDUNDERSTOODWHYAPPLICATIONSNEEDEDITHOWEVERHOWAPPLICATIONSHAVEACCESSTOIT,WHYTHEYWOULDNEEDTOSPECIFYIT,ANDHOWAPPLICATIONSWOULDFUNCTIONWITHOUTITWEREOFTENUNCLEARPARTICIPANTSASKEDQUESTIONSTHROUGHOUTABOUTWHYAPPLICATIONSNEEDEDTHEACCESSTHEYREQUESTEDPARTICIPANTSFREQUENTLYASKEDTHEINTERVIEWERFOREXAMPLESOFAPPLICATIONSTHATREQUESTEDTHEPERMISSIONSWELISTED,ASWELLASWHYTHEYWERENEEDEDTHERELATIONSHIPBETWEENTHEAPPLICATIONSANDTHEPERMISSIONSTHEYREQUESTEDSEEMED,WITHOUTASSISTANCE,UNKNOWABLEONEPARTICIPANT,WHENASKEDIFSHETHOUGHTOTHERSUNDERSTOODTHESEPERMISSIONSSAID,“NOIMEANFORMETOHAVETOTHINKASMUCH,ANDIHAVEBEENUSINGTHESETHINGS,ANDHAVEBEENSORTOFATECHGEEKFORYEARSYEAH,THATSCONCERNING”WITHVIDASANDFELTFINDINGTHATDEVELOPERSAREMISUNDERSTANDINGPERMISSIONS,ANDOFTENAPPLYINGTHEMWITHOUTNEED,ANDSELFPROCLAIMED“TECHGEEKS”FINDINGTHETERMSDIFFICULT,COMMONUSERSARELEFTNEARHELPLESSTHESYSTEMANDTERMSASTHEYCURRENTLYSTANDHAVENOTBEENCREATEDOREXPLAINEDFORTHEAVERAGEUSER62APPLICATIONSELECTIONHALFOFOURPARTICIPANTSMENTIONEDTHEEXISTENCEOFTHEPERMISSIONSDISPLAYBEFOREBEINGPROMOTEDWHENAPARTICIPANTDIDMENTIONTHEDISPLAY,WEIMMEDIATELYSHOWEDAPAPEREXAMPLEOFONEWHILEPERMISSIONINFORMATIONISONEVECTORTOASSISTUSERSINSELECTINGWHICHAPPLICATIONSTOINSTALL,MANYOFOURPARTICIPANTSREPORTEDHEAVYRELIANCEONSTARRATINGS,FULLTEXTREVIEWS,ANDWORDOFMOUTHTHESEOTHERSOURCESOFINFORMATIONWEREBETTERUNDERSTOODANDMORETRUSTEDWHILEREADINGTHROUGHTHEREVIEWSWASSEENASTIMECONSUMING,WORDOFMOUTHWASATRUSTEDWAYTOFINDHIGHQUALITYAPPLICATIONSONEPARTICIPANTRECOUNTEDHISFRUSTRATIONSWITHSIMPLYSEARCHINGTHESTOREANDWHYHETRUSTEDOTHERSOPINIONS“IFEELITISVERYMUCHATRIALANDERROREXERCISEANDTHAT,IDONTKNOWWHETHERTHATAPPISAPIECEOFCRAPORWHETHERITWORKSSOWHENIKNOWSOMEBODYTHATTELLSMETHATTHISAPPISGOOD,THATREALLYMEANSALOTTOME”PARTICIPANTSALSOREPORTEDHEARINGABOUTAPPS,LARGELYOFSERVICESANDPRODUCTSTHEYALREADYUSED,THROUGHADVERTISEMENTSONEPARTICIPANTDESCRIBEDHISEXPERIENCEWITHSEEINGANDROIDAPPADS,“IHAVESEENMAGAZINESANDBILLBOARDSFORINSTANCETIMEMAGAZINE,THEYHAVEWRITTENYOUCANALSODOWNLOADTHEAPPLICATION”WHILEMOSTOFOURPARTICIPANTSSAIDTHEYDONOTPURCHASEAPPSATALL,OTHERSSAIDINCERTAINCASESTHEYWOULDP6SAID,“ITRYTOLOOKFORTHEFREEONESFIRST,ANDIFICANTFINDANYFREEONESIWILLGOAHEADANDBUYIT”63CONCERNOVERMALICIOUSAPPLICATIONSWEASKEDPARTICIPANTSIFTHEYHADHEARDANYTHINGABOUTANDROIDPHONESORANDROIDAPPLICATIONSINTHENEWS,MEDIA,ORONTHEINTERNETPARTICIPANTSTOLDUSABOUTANDROIDSINCREASINGMARKETSHARE,COMPARISONSBETWEENIOSANDANDROID,ANDABOUTAFEWWELLADVERTISEDAPPSWHENASKEDAFOLLOWUP,TOSPECIFICALLYINQUIREONTHEIRAWARENESSOFMALICIOUSAPPLICATIONSINTHEANDROIDMARKET,OURPARTICIPANTSWERELARGELYUNAWAREOFANYSUCHACTIVITYWHILESOMESAIDTHEYHADMEANTTO,ORWEREINTENDINGTOINSTALLANTIVIRUSAPPLICATIONSONTHEIRPHONES,MOSTWEREUNCONCERNEDABOUTTHETHREATOFMALWAREWEATTRIBUTETHISLACKOFCONCERNTOTWOSTRANDSWEPICKEDUPTHROUGHOUTTHEINTERVIEWSTHEFIRSTISANEXPECTEDCOPINGMECHANISMTHATMANYPARTICIPANTSADMITTEDTO,ALACKOFTRUSTINNEWTECHNOLOGYFOREXAMPLE,PARTICIPANTSREPORTEDANUNWILLINGNESSTODOBANKINGFROMTHEIRPHONEONEPARTICIPANTSAID“IDONTDOBANKINGONLINETHROUGHMYPHONEBECAUSETHATDOESNTSEEMPARTICULARLYSAFETOMEIPREFERANACTUALDESKTOPFORTHATBECAUSEIAMPARANOID”THESECONDPARTOFTHISLACKOFCONCERNTOWARDSMALICIOUSAPPSSHOWSADEEPERMISUNDERSTANDINGOFTHEANDROIDECOSYSTEMALLOFOURPARTICIPANTS,WITHOUTEXCEPTION,BELIEVEDORHOPEDTHATANDROID,THEENTITY,WASPRESCREENINGAPPLICATIONSBEFOREENTRANCEINTOTHEMARKETPARTICIPANTSELABORATELYDESCRIBEDTHEREVIEWSTHATTHEYTHOUGHTWERETAKINGPLACE,SCREENINGNOTJUSTFORVIRUSESORMALWARE,BUTRUNNINGUSABILITYTESTSONUSERS,BLOCKINGAPPLICATIONSTHATWERETOOREPETITIVE,OREVENSCREENINGOUTAPPLICATIONSNOTENOUGHPEOPLEWOULDWANTTHEYBELIEVEDANDROIDWASCHECKINGFORCOPYRIGHTORPATENTVIOLATIONS,ANDOVERALLEXPECTEDANDROIDTOBEPROTECTINGTHEIRBRANDADDITIONALLY,PEOPLEWEREUNAWAREOFWHOWASACTUALLYRUNNINGANDROIDTHEYSAWITASAVAGUEENTITYTHATTHEYCOULDNOTATTRIBUTETOANYSPECIFICPARENTCOMPANYSOMEKNEWANDSOMEGUESSEDITWASGOOGLE,OTHERSREALIZEDTHEYHADNEVERSTOPPEDTOTHINKABOUTTHATBEFOREANDWERESIMPLYUNABLETOATTRIBUTETHEOSTOANYOTHERCOMPANY7CONCLUSIONUSERSDONOTUNDERSTANDANDROIDPERMISSIONSSPECIFICALLY,THEHUMANREADABLETERMSDISPLAYEDBEFOREINSTALLINGANAPPLICATIONAREATBESTVAGUE,ANDATWORSTCONFUSING,MISLEADING,JARGONFILLED,ANDPOORLYGROUPEDTHISLACKOFUNDERSTANDINGMAKESITDIFFICULTFORPEOPLE,FROMDEVELOPERSTONONTECHNICALUSERS,TOMAKEINFORMEDDECISIONSWHENINSTALLINGNEWSOFTWAREONTHEIRPHONESLARGELY,THEPERMISSIONSAREIGNORED,WITHPARTICIPANTSINSTEADTRUSTINGWORDOFMOUTH,RATINGS,ANDANDROIDMARKETREVIEWSUSERSALSOARELARGELYUNINFORMEDABOUTTHEEXISTENCEOFMALWAREORMALICIOUSAPPLICATIONSTHATCOULDBEINTHEANDROIDMARKETTHEYHAVEDIFFICULTYDESCRIBINGTHEPOSSIBLEHARMTHATCOULDBECAUSEDBYAPPLICATIONSCOLLECTINGANDSHARINGTHEIRPERSONALINFORMATIONWHILEPARTICIPANTSSTATEDTHEYTRYTOFINDGOODAPPLICATIONSINTHEMARKET,THEYBELIEVETHEYAREPROTECTEDBYOVERSIGHTPROCESSESWHICHDONOTEXISTOVERALL,USERSARENOTCURRENTLYWELLPREPAREDTOMAKEINFORMEDPRIVACYANDSECURITYDECISIONSAROUNDINSTALLINGAPPLICATIONSFROMTHEANDROIDMARKET一個(gè)權(quán)限的難題ANDROID智能手機(jī)上安裝應(yīng)用程序的權(quán)限作者PATRICKGAGEKELLEY2011年12月每當(dāng)用戶在自己的ANDROID手機(jī)上安裝一個(gè)應(yīng)用程序的時(shí)候，都會(huì)跳出一個(gè)提示安裝的消息框，提示用戶是否接受安裝。彈出消息提示框的目的是為了幫助ANDROID用戶做出兩個(gè)選擇第一，判斷ANDROID用戶是否信任或者同意安裝該軟件到自己的ANDROID手機(jī)上；第二，如果ANDROID用戶同意并安裝該軟件到自己的ANDROID手機(jī)上，那么在使用的過程中出現(xiàn)的問題話，ANDROID手機(jī)用戶同意并發(fā)送消息給目標(biāo)主機(jī)，以便開發(fā)人員更好的修補(bǔ)漏洞。我們?cè)趦蓚€(gè)城市之間進(jìn)行了一系列半結(jié)構(gòu)化面試，目的是為了調(diào)查人們?cè)诎惭bANDROID應(yīng)用程序之前彈出權(quán)限消息提示框是否被人們所理解。經(jīng)過我們的調(diào)查發(fā)現(xiàn)，大部分ANDROID手機(jī)用戶在安裝應(yīng)用程序的時(shí)候彈出的消息對(duì)話框，并沒有太大的注意，而是選擇跳過并直接安裝應(yīng)用程序。令人擔(dān)憂的是，我們發(fā)現(xiàn)ANDROID手機(jī)用戶并沒有意識(shí)到應(yīng)用程序的安全性問題，在很多情況下，安裝的應(yīng)用程序往往有時(shí)候可能攜帶病毒軟件?？傊?，ANDROID用戶并沒有真正意識(shí)到在安裝應(yīng)用程序的時(shí)候彈出消息提示框的重要性和安全性。關(guān)鍵詞隱私，安全，安卓，應(yīng)用軟件，智能手機(jī)，權(quán)限，信息設(shè)計(jì)1引言自2008年10月谷歌推出第一款A(yù)NDROID智能手機(jī)的時(shí)候，在第三季度智能手機(jī)銷量排行榜中，ANDROID手機(jī)強(qiáng)占了一半以上的市場(chǎng)銷售份額。隨著ANDROID智能手機(jī)銷量的不斷增多，使得越來越多的用戶從ANDROIDMARKET市場(chǎng)上下載應(yīng)用程序到自己的ANDROID手機(jī)上。截至2011年5月，據(jù)谷歌報(bào)道，總共有20萬的應(yīng)用程序從ANDROID市場(chǎng)上被用戶下載下來，并且總共被安裝了45億次。ANDROID市場(chǎng)并沒有預(yù)先篩選應(yīng)用程序，而是提供給用戶選擇安裝應(yīng)用程序的自由。通過對(duì)ANDROID應(yīng)用程序總部的調(diào)查報(bào)告顯示，雖然在ANDROID市場(chǎng)上存在三十一萬的ANDROID應(yīng)用程序，但是其中有百分之三十三的ANDROID應(yīng)用程序是低質(zhì)量的?？偠灾鶕?jù)2011年的網(wǎng)絡(luò)數(shù)據(jù)報(bào)告可得，從MCAFEE、KASPERSKYLAB、SYMANTEC的數(shù)據(jù)可知自2011年的七月開始，我們發(fā)現(xiàn)惡意軟件的增長速度是以百分之47倍的速度在增長。所有想要在ANDROID市場(chǎng)上拍賣自己的應(yīng)用程序軟件，就必須花費(fèi)25的手續(xù)費(fèi)來開通自己的個(gè)人賬號(hào)，通過上傳自己的應(yīng)用程序軟件，并從中獲取利潤。當(dāng)然，ANDROID市場(chǎng)是不會(huì)去檢查你的應(yīng)用程序到底包含哪些基本信息。然而，這對(duì)ANDROID用戶是非常不利的。對(duì)此谷歌來完成這項(xiàng)保護(hù)ANDROID手機(jī)用戶的任務(wù)。通過調(diào)查我們提供給ANDROID用戶兩種安裝選擇。1你是否愿意安裝此軟件到你的手機(jī)上2你是否信任開發(fā)商去訪問你的個(gè)人信息通過我們的走訪調(diào)查可知，大部分的ANDROID手機(jī)用戶都希望應(yīng)用程序提供詳細(xì)的權(quán)限安裝問題，并表示這是對(duì)于手機(jī)安全性的一個(gè)必不可少的環(huán)節(jié)。ANDROID用戶還提出應(yīng)該由用戶自己選擇什么時(shí)候彈出權(quán)限消息提示框，這樣做的目的是為了減少給客戶到來不必要的麻煩。2相關(guān)工作雖然ANDROID手機(jī)僅僅只是在2008年發(fā)布后的不久誕生的，但是有一個(gè)重要的工作需要我們?nèi)ネ瓿傻模蔷褪菍W(xué)習(xí)ANDROID手機(jī)的權(quán)限安全性問題。提出這個(gè)重要的理論依是根據(jù)對(duì)ANDROID手機(jī)運(yùn)行的安全性或者提高系統(tǒng)的安全性能出發(fā)的。EYCK的相關(guān)的工作主要是研究ANDROID系統(tǒng)的安全性和面向用戶權(quán)限之間的差異化，重點(diǎn)分析在ANDROID用戶關(guān)閉手機(jī)的時(shí)候，通過權(quán)限請(qǐng)求消息與手機(jī)之間建立通信功能。VIDA的主要工作是研究如何讓ANDROID應(yīng)用程序接受請(qǐng)求權(quán)限，通過研究后來發(fā)現(xiàn)，權(quán)限存在一個(gè)“權(quán)限危機(jī)”的現(xiàn)象。由于ANDROID提供的API文檔接口與用戶實(shí)際接受的應(yīng)用程序請(qǐng)求消息無法建立連接，所以這就是開發(fā)人員現(xiàn)在面臨的一個(gè)主要難題。FELT主要工作是揭秘ANDROID權(quán)限的工作原理，試圖進(jìn)一步解釋權(quán)限的開發(fā)商為什么要怎么開發(fā)。然而，無論是最終用戶探討這些應(yīng)用程序權(quán)限的理解。在我們的工作調(diào)查中發(fā)現(xiàn)雖然ANDROID手機(jī)用戶明明知道安裝一個(gè)應(yīng)用程序可能存在風(fēng)險(xiǎn)或者病毒，但是還是有很多ANDROID用戶試圖為自己找借口忽略這些安裝權(quán)限消息提示框，常常抱怨為什么安裝一個(gè)應(yīng)用程序軟件要怎么多麻煩的權(quán)限消息提示框。另一些人看待ANDROID應(yīng)用程序權(quán)限問題的態(tài)度是試圖去簡(jiǎn)化應(yīng)用程序權(quán)限的安裝過程或者跟其他智能手機(jī)對(duì)比安裝權(quán)限的過程。通過ANDROID用戶的反饋信息我們可以得出一個(gè)結(jié)論ANDROID應(yīng)用程序權(quán)限安裝的過程中提供了全面的安裝信息給ANDROID手機(jī)用戶，然而ANDROID用戶對(duì)這些提供的信息往往是不怎么在意或者忽略。3ANDROID權(quán)限和顯示ANDROID用戶通過從ANDROID市場(chǎng)上下載第三方應(yīng)用軟件并安裝在自己的手機(jī)上，當(dāng)ANDROID應(yīng)用程序在安裝的過程中根據(jù)ANDROID用戶的選擇性自己選擇是否彈出權(quán)限消息提示框來幫助ANDROID用戶更好的安裝ANDROID應(yīng)用程序軟件。來自ANDROID市場(chǎng)的第三方應(yīng)用程序沒有必要顯示所有權(quán)限信息，然而以上的應(yīng)用程序包（APK）安裝時(shí)，都會(huì)出現(xiàn)彈出一個(gè)權(quán)限的消息對(duì)話框。圖1上圖顯示安裝應(yīng)用程序的工作流程和查看應(yīng)用程序軟件的權(quán)限。屏幕1顯示了在ANDROID市場(chǎng)上發(fā)布亞馬遜應(yīng)用程序軟件。當(dāng)用戶想要安裝該軟件的時(shí)候，點(diǎn)擊紅色圓圈按鈕“免費(fèi)”來進(jìn)入屏幕2的操作界面，或者也可以點(diǎn)擊紅色圓圈的“顯示所示”來查看應(yīng)用程序權(quán)限，如圖屏幕3和屏幕4圖1顯示了安裝應(yīng)用程序的工作流程。屏幕1顯示了亞馬遜的KINDLE應(yīng)用程序。如果用戶點(diǎn)擊紅色圓圈按鈕“免費(fèi)”進(jìn)入顯示屏幕2，這使得他們接受應(yīng)用程序的權(quán)限并獲得安裝應(yīng)用程序的權(quán)限，也可以通過點(diǎn)擊紅色圓圈按鈕來“顯示所有信息”并查看相關(guān)的權(quán)限，如圖屏幕3和4。用戶可以通過點(diǎn)擊更多按鈕，來查看更多完整的權(quán)限要求。如圖屏幕2的紅色圓圈按鈕。切換至屏幕3時(shí)，用戶可以點(diǎn)擊紅色圓圈按鈕的“顯示所有”來查看整個(gè)應(yīng)用程序的完整信息。在這一個(gè)過程中如果用戶想要取消應(yīng)用程序的安裝，可以通過點(diǎn)擊ANDROID手機(jī)上的返回按鈕或者ANDROID手機(jī)上的主頁按鈕來取消當(dāng)前應(yīng)用程序的安裝。詳細(xì)的應(yīng)用程序權(quán)限或者組請(qǐng)參照ANDROIDSDK的官方網(wǎng)站，也可以通過查看ANDROID文檔來獲取應(yīng)用程序權(quán)限的詳細(xì)信息。4方法論我們通過在當(dāng)?shù)卣心糀NDROID用戶參與我們的采訪調(diào)查。每名ANDROID用戶都必須填寫一份ANDROID問卷調(diào)查報(bào)告，才能參見下一輪的面試。隨后工作人員安排每一位ANDROID用戶進(jìn)入特定的實(shí)驗(yàn)室，填寫ANDROID用戶調(diào)查同意書，主要是為了配合工作人員更好的調(diào)查ANDROID用戶的情況，在調(diào)查的過程中采取錄音的方式。采訪結(jié)束后每一位ANDROID用戶都可以共享出自己ANDROID手機(jī)上的應(yīng)用軟件，通過USB與工作人員筆記本電腦的連接，來更好的統(tǒng)計(jì)ANDROID應(yīng)用程序的數(shù)量。ANDROID用戶通過在同意書上簽字并表示自己同意錄音，以便工作人員更好的統(tǒng)計(jì)ANDROID應(yīng)用程序的數(shù)量。每位參與完整個(gè)過程的ANDROID用戶都將獲得二十元美金來作為回報(bào)，并有機(jī)會(huì)獲得星巴克、巴尼斯的高貴禮品卡一張。5人口統(tǒng)計(jì)和對(duì)問卷調(diào)查答復(fù)總共有七十七名ANDROID用戶參與了此次調(diào)查，其中有二十名ANDROID用戶接受面談。本文的其余部分都將只是討論這20名ANDROID用戶。其中有六名是來自西雅圖，十三名師來自匹茲堡，有十名ANDROID用戶是男性，有十名ANDROID用戶是女性。這二十名ANDROID用戶的年齡在十九到四十八歲之間，據(jù)統(tǒng)計(jì)他們的平均年齡在二十九歲。據(jù)調(diào)查有十四名ANDROID用戶使用ANDROID智能手機(jī)不到一年就