Experts call for risk scores to improve smartphone app security
Next time you download or update an app for your smartphone or tablet and blitz through messages asking for permissions approval, you may be unnecessarily exposing your personal information to possible cyber violation. Researchers suggest this issue could potentially be addressed through better consumer education and an easy to understand risk score for each app.
Researchers from Purdue University, working as part of a U.S. National Science Foundation (NSF) funded project, took a look at the decision making patterns of smartphone users with regards to apps usage. They disturbingly came away with the conclusion that most users habitually ignore security warnings and consent to app permissions without a second thought as to what they are actually giving acceptance to.
"Although strong security measures are in place for most mobile systems, the area where these systems often fail is the reliance on the user to make decisions that impact the security of a device,” the researchers wrote in a recent report.
Furthermore, besides users paying little attention to what they are clicking through exists the plain fact that often the permissions which seek approval seem written by programmers for programmers. In other words, they aren’t always written in plain English or, at the minimum, require time and considerable effort by average individuals to try and understand.
"The complexity of modern access control mechanisms in smartphones can confuse even security experts," said Jeremy Epstein, lead program director for the Secure and Trustworthy Cyberspace program in NSF's Directorate for Computer and Information Science and Engineering. ”Safeguards and protection mechanisms that protect privacy and personal security must be usable by all smartphone users, to avoid the syndrome of just clicking 'yes' to get the job done.”
The Android ecosystem as an example
The scope of the problem, from a pure numbers game, raises big red flags. In the Android ecosystem alone, more than 400 million related devices were activated in 2012. To these devices, as of July 2013, users had downloaded over 50 billion apps from Google’s official online store. Although users are warned that giving permissions to apps from certain categories could allow them to read and modify contact details and calendar events, send emails without the user's knowledge or use settings that control the user's mobile data connection, even this may not be enough to inform average users.
What researchers are proposing instead is a simple risk score system that would inform users of potential risks in a simpler, more transparent way and prompt app developers to create apps that use less personal information. Experiments conducted by the team to test out reactions to a risk score approach found users generally had better attention and more curiosity around security warnings presented in this way.
“This is a classic example of the links between humans and technology," said Heng Xu, program director in the Secure and Trustworthy Cyberspace program in NSF's Social, Behavioral and Economic Sciences Directorate. "The Android smartphones studied by this group of scientists reveals the great need to understand human perception as it relates to their own privacy and security."
The team's research appears in the journal IEEE Transactions on Dependable and Secure Computing