Mobile devices (e.g., smartphones and tablets) allow users to execute rich third-party applications that are capable of making extensive use of device hardware and personal data. This poses security risks, as applications may perform undesirable operations such as deleting data, damaging hardware, or even directly incurring charges on the user's phone bill. Mobile devices also pose privacy risks, as they store sensitive personal information that may be accessed and shared inappropriately.
Empowering users to decide how resources on their mobile devices are accessed (i.e., "granting permission") is an important challenge for the future of mobile computing. Our research has shown that existing mechanisms are ineffective: users frequently grant permissions because they either do not understand them, are habituated to them, or feel that they have no other choice. This research project aims to identify and study potential solutions to these problems.
This project develops a user-centered approach to mobile device permission requests. The project is conducting human-subjects experiments to design and validate more effective mechanisms for regulating privacy- or security-sensitive actions. The research agenda involves minimizing habituation to security warnings by substituting them with protected widgets (i.e., "trusted UI") or audit mechanisms, when possible; improving the design of security warnings, because alternative permission-granting mechanisms are sometimes inappropriate; and integrating these mechanisms into a platform that improves system security by taking a user-centered approach to granting permissions. If successful, this project could help develop a secure foundation for future generations of mobile devices.