CONFIGURATION OF APPLICATION PERMISSIONS WITH CONTEXTUAL ACCESS CONTROL by Andrew Besmer A dissertation submitted to the faculty of The University of North Carolina at Charlotte in partial fulfillment of the requirements for the degree of Doctor of Philosophy in Information Technology Charlotte 2013 Approved by: Dr. Heather Richter Lipford Dr. Mohamed Shehab Dr. Celine Latulipe Dr. Richard Lambert Dr. Lorrie Cranor ii c 2013 Andrew Besmer ALL RIGHTS RESERVED iii ABSTRACT ANDREW BESMER. Configuration of application permissions with contextual access control. (Under the direction of DR. HEATHER RICHTER LIPFORD) Users are burdened with the task of configuring access control policies on many dif- ferent application platforms used by mobile devices and social network sites. Many of these platforms employ access control mechanisms to configure application per- missions before the application is first used and provide an all or nothing decision for the user. When application platforms provide fine grained control over decision making, many users exhibit behavior that indicates they desire more control over their application permissions. However, users who desire control over application permissions still struggle to properly configure them because they lack the context in which to make better decisions. In this dissertation, I attempt to address these problems by exploring decision making during the context of using mobile and social network applications. I hypothesize that users are able to better configure access control permissions as they interact with applications by supplying more contextual information than is available when the application is being installed. I also explore how logged access data generated by the application platform can provide users with more understanding of when their data is accessed. Finally, I examine the effects that this contextually improved application platform has on user decision making. iv DEDICATION I dedicate this dissertation to my family and friends, thank you for everything. None of this was possible without you. v ACKNOWLEDGMENTS Despite the fact that this is the first section you will read, it is the last I will write. As I reflect on my journey and how I got here, there are so many people I owe a debt of gratitude to. While it is me who this document is attributed to, my success is not and should not be considered a singular effort. So while you will not find any results in this section of the dissertation, I still encourage you to read it as well. First, the work in this dissertation would not be possible without funding from various sources including the fellowship I received: Graduate Assistance in Areas of National Need or GAANN. Additionally, I was fortunate enough to receive a small Google grant and some of my collaborators were funded through the National Sci- ence Foundation. Finally, UNC Charlotte has a program called GASP or Graduate Assistant Support Plan. These funding sources have made the cost of carrying out my work much more manageable. Next, I would like to thank my dissertation committee which consisted of Dr. Heather Richter Lipford, Dr. Celine Latulipe, Dr. Mohamed Shehab, Dr. Richard Lambert, and Dr. Lorrie Cranor. I have great esteem for these scholars and it has been my honor to work with them. Dr. Lipford, in addition to serving as the chair for my committee, was also my advisor more than half of my college career. I can not envision a better advisor and I am so grateful for everything she has done. She has celebrated both my academic successes and failures, and the advice she has given is second to none. I was also very fortunate to have a committee that was willing to give me enough rope to hang myself with and then provide me with the guidance, vi feedback, and direction I needed to ensure that did not happen. I have enjoyed the privilege of being able to set my own direction and thank the committee for allowing me to do that. I have had several collaborators beyond just those mentioned in this dissertation. Some of these collaborators in no particular order are: Tyler Thomas, Gorrell Cheek, Ashley Anderson, Katie Froiland, Vanessa Hernandez, Josh Harvel, Crystal Knox, Lauren Hamilton, Charisse Cotton, Jason Watson, Kate Strater, and Erik Northrop. It has been my pleasure to learn from and work with all of them. Jason Watson has become my very good friend and has helped me more than I could ask of any person. I am honored to have got to know/worked with such a kind, caring, and giving individual. Professionally, there is not a study I have been involved in that I have not discussed with him. Personally, there is not a thing I would hesitate to debate or ask him about. I would like to thank the many friends I have gotten to know. Day in and day out I have enjoyed the company of many of my lab mates. Among them, again in no particular order, you will find Berto Gonzalez who is in competition with Alexander Adams to be the world's most interesting man. I will leave it to others to judge the outcome. Erik Northrop and Vikash Singh who share my enthusiasm for PHP and Javascript. Okan Pala who gave my wife and I our first official dance lesson. Felesia Stukes who takes a genuine interest in both her work and the work of others around her. Jason Watson who has been an amazing friend. Michael Whitney, he still holds the title of the worlds most interesting man that Berto and Alex are currently competing for. Jun Zhu who is a very kind and hard working student. Matt Campbell vii who I wish I had more time to get to know. Mick Smythwood who very well might be the fastest learner I have ever met. Pam Wisniewski, her research motivated some of my own and ultimately got me more interested in statistical methods. Erin Carroll who is without a doubt one of the most intelligent and hard working women in computing. And finally, Jing Xie, my coast to coast friend. By sheer coincidence, fate brought us both from adjoining desks to the west coast at the same time, mere miles from one another. Jing introduced my wife and I to traditional Chinese restaurants and food. She is the reason that to this very day my wife uses chopsticks to eat rice. Besides my lab mates I have one other good friend I would like to acknowledge. Jamal Burgess who is one of the smartest people I know. Nearly everyday he and I will talk and I always enjoy the conversation. My parents were always an advocate of higher education and it is fair to say I would not have gone down this path if not for them. So Mom, Dad, thank you. Someone once asked, \Does the world need another Dr. Besmer?" I do not know the answer to that question, but I can say that there are very few brother/sister PhDs that are at the same institution, in the same building, at the same time. While we were in very different PhD programs, my sister has shared the experiences (good and bad) of graduate life with me. While she managed to graduate a few months earlier than I did, my dissertation is longer. Just saying. Seriously though, thanks for being one of the few people who understood everything happening in graduate school. I would like to thank my brother Timothy, he is fun to be around and has no problems expressing his opinions. Keep up the good work. I would also like to thank my wife Britney. She has been supportive of me, my studies, and kept me laughing with comments like, viii \I'm not a participant in your user studies mister!" Without her, instead of being a balding PhD, I would probably resemble some sort of completely bald mad scientist. I would be walking around talking about sharks with frickin' lasers beams attached to their heads. Last but not least, UNC Charlotte itself has been an amazing institution. I came to UNC Charlotte because of the reputation it has as a national center of academic excellence in information assurance education. As luck would have it UNC Charlotte also has stellar faculty, staff and students. I have been consistently amazed at how receptive the faculty are towards students needs and desires. Additionally, I have not encountered a single staff member at UNC Charlotte who was not exceptionally kind and caring. All have gone above and beyond what is expected of them. I thank them all and the institution itself for continuing to find such amazing students, people, and talent. ix TABLE OF CONTENTS LIST OF FIGURES xi LIST OF TABLES xiii CHAPTER 1: INTRODUCTION1 1.1 Dissertation Statement6 1.2 Contributions6 1.3 Organization7 CHAPTER 2: BACKGROUND 10 2.1 Security and Access Control 10 2.2 Human Computer Interaction and Usable Security 14 2.3 Privacy 19 2.4 Information Flow 23 2.5 Warnings and Notifications 26 CHAPTER 3: UNDERSTANDING THE USER 29 3.1 Social Network Application Platform Usage 29 CHAPTER 4: INSTALL TIME CONTEXTUAL CONFIGURATION 59 4.1 Install Time Configuration 59 CHAPTER 5: RUNTIME CONTEXTUAL CONFIGURATION 89 5.1 Mobile Contextual Configuration 91 5.2 Social Network Contextual Configuration 110 CHAPTER 6: NOTIFYING USERS 149 6.1 Notifying Users 149 x CHAPTER 7: DISCUSSION AND CONCLUSION 180 7.1 Updated Model 181 7.2 Discussion 184 7.3 Optimizing User Experience 188 7.4 Limitations And Future Work 190 7.5 Conclusion 192 REFERENCES 195 APPENDIX A: Scrapbooking Study Task Sheet 200 APPENDIX B: Scrapbooking Study Survey 202 APPENDIX C: Notification Study Survey For Code 211 APPENDIX D: Notification Study Daily Survey 213 xi LIST OF FIGURES FIGURE 1: Adding an application 31 FIGURE 2: Removing an application 53 FIGURE 3: Facebook's application access control model 63 FIGURE 4: Proposed application access control model