Assigning risk scores to apps may slow down unwarranted access to personal information
October 28, 2014
What information is beaming from your mobile phone over various computer networks this very second without you being aware of it?
Experts say your contact lists, email messages, surfed webpages, browsing histories, usage patterns, online purchase records and even password protected accounts may all be sharing data with intrusive and sometimes malicious applications, and you may have given permission.
"Smartphones and tablets used by today's consumers include many kinds of sensitive information," says Ninghui Li, a professor of Computer Science at Purdue University in Indiana.
The apps downloaded to them can potentially track a user's locations, monitor his or her phone calls and even monitor the messages a user sends and receives--including authentication messages used by online banking and other sites, he says, explaining why unsecured digital data are such a big issue.
Li, along with Robert Proctor and Luo Si, also professors at Purdue, lead a National Science Foundation (NSF)-funded project "User-Centric Risk Communication and Control on Mobile Devices," that investigates computer security. The work pays special attention to user control of security features in mobile systems.
Li, Proctor and Si believe they may have a simple solution for users, who unknowingly allow voluntary access to their personal data.
Most users pay little attention
"Although strong security measures are in place for most mobile systems," they write in a recent report inthe journal IEEE Transactions on Dependable and Secure Computing, "the area where these systems often fail is the reliance on the user to make decisions that impact the security of a device."
Most users pay little attention, say the researchers, to unwanted access to their personal information. Instead, they have become habituated to ignore security warnings and tend to consent to all app permissions.
"If users do not understand the warnings or their consequences, they will not consider them," says Proctor, a Distinguished Professor of psychological sciences at Purdue.
"If users do not associate violations of the warnings with bad consequences of their actions, they will likely ignore them," adds Jing Chen, a psychology Ph.D. student who works on the project.
In addition, there are other influences that contribute to users ignoring security warnings. In the case of Android app permissions, of which there are more than 200, many do not make sense to the average user or at best require time and considerable mental effort to comprehend.
"Permissions are not the only factor in users' decisions," says Si, an associate professor of Computer Science at Purdue, who also led research on a paper with Li that analyzed app reviews.
"Users also look at average ratings, number of downloads and user comments," Si says. "In our studies, we found that there exist correlations between the quality of an app and the average rating from users, as well as the ratio of negative comments about security and privacy."
"This is a classic example of the links between humans and technology," says Heng Xu, program director in the Secure and Trustworthy Cyberspace program in NSF's Social, Behavioral and Economic Sciences Directorate. "The Android smartphones studied by this group of scientists reveals the great need to understand human perception as it relates to their own privacy and security."
"The complexity of modern access control mechanisms in smartphones can confuse even security experts," says Jeremy Epstein, lead program director for the Secure and Trustworthy Cyberspace program in NSF's Directorate for Computer and Information Science and Engineering, which funded the research.
"Safeguards and protection mechanisms that protect privacy and personal security must be usable by all smartphone users, to avoid the syndrome of just clicking 'yes' to get the job done. The SaTC program encourages research like Dr. Li's and colleagues that helps address security usability challenges."