Identifying ways to improve smartphone security

colleagues argue that nearly all apps make permission requests with such risks.

Including a risk score has “significant positive effects”

The researchers believe, however, that assigning a risk score to each app and displaying a summary of that information may slow down unwarranted access to personal information by making the risk more transparent and by giving incentive to developers to use less personal information.

Li and his team conducted several experiments that employed a risk score strategy. They found including a risk score had “significant positive effects” for those selecting apps to install on a user’s Android smartphone. They also reported that risk scores could lead to more user curiosity about security-related information thereby reducing how often security warnings are disregarded.

Experiments asked participants to select between two apps presented to them in three ways: with risk summary information not displayed, with risk summary information displayed as text and/or with risk summary information displayed as a series of filled ovals similar to the one to five stars used to present consumer ratings.

In a first experiment, the researchers verified that the presence of risk-summary text could influence participants’ decisions as to whether to install an app. Participants chose the app identified as less-risky 77 percent of the time.

In another experiment, the researchers focused on how risk information is communicated to the consumer. They wanted to know whether users would be more responsive to “risk information” or “safety information.” Li and colleagues tested the question using a number of filled circles — for half of the participants, they framed the filled circles to mean more risk. For the other half, they framed the filled circles to mean less risk or more security.

The researchers compared the response times for the two different ways of communicating risk. They found consumer decisions to install the app were faster when information was presented in the safety condition, indicating people have a natural tendency to react to safety information over risk information.

The outcome suggests it may be better to present permission warnings as safety information rather than the more common risk assessments.

“This result is surprising in one sense because security warnings typically are conveyed as risks,” says Li. “However, in another sense it is not too surprising because the positive framing of safety is more compatible with other aspects of selecting a desirable app.”

“When technologists design and implement security mechanisms for systems used by the mass population, they should not design for other technologists,” Li says. “Instead, they need to understand what can be comprehended and effectively used by the mass population.”

— Read more in C.S. Gates, “Effective Risk Communication for Android Apps,” IEEE Xplore 11, no. 3 (16 December 2013): 252-65 (DOI: 10.1109/TDSC.2013.58); and L. Cen et al., “A Probabilistic Discriminative Model for Android Malware Detection with Decompiled Source Code,” IEEE Xplore (8 September 2014) (DOI: 10.1109/TDSC.2014.2355839)