How Risky Are Real Users' IFTTT Applets?


Camille Cobb and Milijana Surbatovich, Carnegie Mellon University; Anna Kawakami, Wellesley College; Mahmood Sharif, NortonLifeLock; Lujo Bauer, Carnegie Mellon University; Anupam Das, North Carolina State University; Limin Jia, Carnegie Mellon University


Smart-home devices are becoming increasingly ubiquitous and interconnected with other devices and services, such as phones, fitness trackers, cars, and social media accounts. Built-in connections between these services are still emerging, but end-user-programming tools such as If-This-Then-That (IFTTT) have existed for almost a decade, allowing users to create rules (called applets in IFTTT) that dictate interactions between devices and services. Previous work found potential secrecy or integrity violations in many applets, but did so without examining how individual users interact with the service. In this work, we study the risks of real-world use of IFTTT by collecting and analyzing 732 applets installed by 28 participants and participants' responses to several survey questions. We found that significantly fewer applets than previously thought pose realistic secrecy or integrity risks to the users who install them. Perhaps consistently, participants were generally not concerned about potential harms, even when these were explained to them. However, examining participants' applets led us to identify several new types of privacy risks, which challenge some assumptions inherent in previous analyses that focus on secrecy and integrity risks. For example, we found that many applets involve monitoring incidental users: family, friends, and neighbors who may interact with someone else's smart-home devices, possibly without realizing it. We discuss what our findings imply for automatically identifying potentially harmful applets.

Open Access Media

USENIX is committed to Open Access to the research presented at our events. Papers and proceedings are freely available to everyone once the event begins. Any video, audio, and/or slides that are posted after the event are also free and open to everyone. Support USENIX and our commitment to Open Access.

@inproceedings {255660,
author = {Camille Cobb and Milijana Surbatovich and Anna Kawakami and Mahmood Sharif and Lujo Bauer and Anupam Das and Limin Jia},
title = {How Risky Are Real Users{\textquoteright} {IFTTT} Applets?},
booktitle = {Sixteenth Symposium on Usable Privacy and Security (SOUPS 2020)},
year = {2020},
isbn = {978-1-939133-16-8},
pages = {505--529},
url = {},
publisher = {USENIX Association},
month = aug

Presentation Video