Android Permissions: User Attention, Comprehension, and Behavior Adrienne Porter Felt*, Elizabeth Hay, Serge Egelman*, Ariel Haneyy, Erika Chin*, David Wagner* *Computer Science Department ySchool of Information University of California, Berkeley {apf,egelman,emc,daw}@cs.berkeley.edu, {lizzy,arielhaney}@ischool.berkeley.edu ABSTRACT data or sends premium SMS messages for profit. Grayware and Android’s permission system is intended to inform users about the malware have both been found in the Android Market, and the rate risks of installing applications. When a user installs an application, of new malware is increasing over time [17, 46]. he or she has the opportunity to review the application’s permission Google does not review or restrict Android applications. Instead, requests and cancel the installation if the permissions are excessive Android uses permissions to alert users to privacy- or security- or objectionable. We examine whether the Android permission sys- invasive applications. When a user initiates the process of installing tem is effective at warning users. In particular, we evaluate whether an application, he or she is shown the list of permissions that the Android users pay attention to, understand, and act on permission application requests. This list identifies all of the phone resources information during installation. We performed two usability stud- that the application will have access to if it is installed. For exam- SEND_SMS ies: an Internet survey of 308 Android users, and a laboratory study ple, an application with the permission can send text wherein we interviewed and observed 25 Android users. Study par- messages, but an application without that permission cannot. If the ticipants displayed low attention and comprehension rates: both the user is not comfortable with the application’s permission requests, Internet survey and laboratory study found that 17% of participants then he or she can cancel the installation. Users are not shown per- paid attention to permissions during installation, and only 3% of In- missions at any time other than installation. ternet survey respondents could correctly answer all three permis- In this paper, we explore whether Android permissions are us- sion comprehension questions. This indicates that current Android able security indicators that fulfill their stated purpose: “inform the permission warnings do not help most users make correct security user of the capabilities [their] applications have” [5]. We base our decisions. However, a notable minority of users demonstrated both inquiry on Wogalter’s Communication-Human Information Process- awareness of permission warnings and reasonable rates of compre- ing (C-HIP) model, which provides a framework for structuring hension. We present recommendations for improving user attention warning research [44]. The C-HIP model identifies a set of steps and comprehension, as well as identify open challenges. between the delivery of a warning and the user’s final behavior. We connect each step with a research question: Categories and Subject Descriptors 1. Attention switch and maintenance. Do users notice permis- H.5.2 [Information Interfaces and Presentation]: User Interfaces; sions before installing an application? A user needs to switch D.4.6 [Software]: Security and Protection—Access controls focus from the primary task (i.e., installation) to the per- mission warnings, and she needs to focus on the permission warnings for long enough to read and evaluate them. General Terms 2. Comprehension and memory. Do users understand how per- Human Factors, Security missions correspond to application risks? Users need to un- derstand the scope and implications of permissions. Keywords 3. Attitudes and belief. Do users believe that permissions accu- rately convey risk? Do users trust the permission system to Android, smartphones, mobile phones, usable security limit applications’ abilities? 4. Motivation. Are users motivated to consider permissions? 1. INTRODUCTION Do users care about their phones’ privacy and security? Do Android supports a booming third-party application market. As they view applications as threats? of July 2011, the Android Market included more than 250; 000 5. Behavior. Do permissions influence users’ installation deci- applications, which have been downloaded more than six billion sions? Do users ever cancel installation because of permis- times [34]. Unfortunately, the growth in the Android platform has sions? Users should not install applications whose permis- triggered the interest of unscrupulous application developers. An- sions exceed their comfort thresholds. droid grayware collects excessive amounts of personal information (e.g., for aggressive marketing campaigns), and malware harvests Each step is critical: a failure of usability at any step will render all subsequent steps irrelevant. We performed two usability studies to address the attention, com- Copyright is held by the author/owner. Permission to make digital or hard prehension, and behavior questions. First, we surveyed 308 An- copies of all or part of this work for personal or classroom use is granted droid users with an Internet questionnaire to collect data about their without fee. Symposium on Usable Privacy and Security (SOUPS) 2012, July 11-13, understanding and use of permissions. Next, we observed and in- 2012, Washington, DC, USA. terviewed 25 Android users in a laboratory study to gather nuanced data. The two studies serve to confirm and validate each other. We do not study attitudes or motivation because we find that most users fail to pass the attention and comprehension steps. Our primary findings are: • Attention. In both the Internet survey and laboratory study, 17% of participants paid attention to permissions during a given installation. At the same time, 42% of laboratory par- ticipants were unaware of the existence of permissions. • Comprehension. Overall, participants demonstrated very low rates of comprehension. Only 3% of Internet survey respon- dents could correctly answer three comprehension questions. However, 24% of laboratory study participants demonstrated competent—albeit imperfect—comprehension. • Behavior. A majority of Internet survey respondents claimed to have decided not to install an application because of its permissions at least once. Twenty percent of our laboratory Figure 1: On the left, a screenshot of the Android Market’s final installation study participants were able to provide concrete details about page, displaying the application’s permission requests. On the right, the times that permissions caused them to cancel installation. permission dialog that appears if a user clicks on a permission warning. functionality and requirements. Users can weigh the permissions Our findings indicate that the Android permission system is nei- against their trust of the application and personal privacy concerns. ther a total success nor a complete failure. Due to low attention The official Android Market provides every application with two and comprehension rates, permissions alone do not protect most installation pages. The first installation page includes a description, users from undesirable applications (i.e., malware or grayware). user reviews, screenshots, and a “Download” button. After press- However, a minority of laboratory study participants (20%) demon- ing “Download,” the user arrives at a final installation page that strated awareness of permissions and reasonable rates of under- includes the application’s requested permissions (Figure 1). Per- standing (comprehension grades of 70% or higher). This minority missions are displayed as a three-layer warning: a large heading could be sufficient to protect others if their opinions about appli- that states each permission’s general category, a small label that cation permissions could be successfully communicated via user describes the specific permission, and a hidden details dialog. If reviews. We also found that some people have altered their be- an application requests multiple permissions in the same category, havior based on permissions, which demonstrates that users can be their labels will be grouped together under that category heading. receptive to security and privacy warnings during installation. If a user clicks on a permission, the details dialog opens. The de- Contributions. We contribute the following: tails dialog may include examples of how malicious applications can abuse the permission (e.g., “Malicious applications can use this • Android permissions are intended to inform users about the to send your data to other people”). The permission system gives risks of installing applications [5]. We evaluate whether An- users a binary choice: they can cancel the installation, or they can droid permissions are effective security indicators. accept all of the permissions and proceed with installation. • Researchers have speculated that Android permission warn- On most phones, Android users can also download applications ings are ignored by users [18, 15]. We perform two studies from non-Google stores like the Amazon Appstore. When a user to investigate how people use permissions in practice; to our selects an application through an unofficial store, that store might knowledge, we are the first to provide quantitative data. not present permission information. However, Android’s installa- • We explore the reasons why users do not pay attention to tion system will always present the user with a permission page or understand Android permissions, and we identify specific