Towards Usable Security Analysis Tools for Trigger-Action Programming


McKenna McCall and Eric Zeng, Carnegie Mellon University; Faysal Hossain Shezan, University of Virginia; Mitchell Yang and Lujo Bauer, Carnegie Mellon University; Abhishek Bichhawat, IIT Gandhinagar; Camille Cobb, University of Illinois Urbana-Champaign; Limin Jia, Carnegie Mellon University; Yuan Tian, University of California, Los Angeles


Research has shown that trigger-action programming (TAP) is an intuitive way to automate smart home IoT devices, but can also lead to undesirable behaviors. For instance, if two TAP rules have the same trigger condition, but one locks a door while the other unlocks it, the user may believe the door is locked when it is not. Researchers have developed tools to identify buggy or undesirable TAP programs, but little work investigates the usability of the different user-interaction approaches implemented by the various tools.

This paper describes an exploratory study of the usability and utility of techniques proposed by TAP security analysis tools. We surveyed 447 Prolific users to evaluate their ability to write declarative policies, identify undesirable patterns in TAP rules (anti-patterns), and correct TAP program errors, as well as to understand whether proposed tools align with users' needs. We find considerable variation in participants' success rates writing policies and identifying anti-patterns. For some scenarios over 90% of participants wrote an appropriate policy, while for others nobody was successful. We also find that participants did not necessarily perceive the TAP anti-patterns flagged by tools as undesirable. Our work provides insight into real smart-home users' goals, highlights the importance of more rigorous evaluation of users' needs and usability issues when designing TAP security tools, and provides guidance to future tool development and TAP research.

Open Access Media

USENIX is committed to Open Access to the research presented at our events. Papers and proceedings are freely available to everyone once the event begins. Any video, audio, and/or slides that are posted after the event are also free and open to everyone. Support USENIX and our commitment to Open Access.

@inproceedings {289534,
author = {McKenna McCall and Eric Zeng and Faysal Hossain Shezan and Mitchell Yang and Lujo Bauer and Abhishek Bichhawat and Camille Cobb and Limin Jia and Yuan Tian},
title = {Towards Usable Security Analysis Tools for {Trigger-Action} Programming},
booktitle = {Nineteenth Symposium on Usable Privacy and Security (SOUPS 2023)},
year = {2023},
isbn = {978-1-939133-36-6},
address = {Anaheim, CA},
pages = {301--320},
url = {},
publisher = {USENIX Association},
month = aug

Presentation Video