Yusra Elbitar, CISPA Helmholtz Center for Information Security, Saarland University; Michael Schilling, CISPA Helmholtz Center for Information Security; Trung Tin Nguyen, CISPA Helmholtz Center for Information Security, Saarland University; Michael Backes and Sven Bugiel, CISPA Helmholtz Center for Information Security
Current mobile platforms leave it up to the app developer to decide when to request permissions (timing) and whether to provide explanations why and how users' private data are accessed (rationales). Given these liberties, it is important to understand how developers should use timing and rationales to effectively assist users in their permission decisions. While guidelines and recommendations for developers exist, no study has systematically investigated the actual influence of timing, rationales, and their combinations on users' decision-making process. In this work, we conducted a comparative online study with 473 participants who were asked to interact with mockup apps drawn from a pool of 120 variations of 30 apps. The study design was guided by developers' current permission request practices derived from a dynamic analysis of the top apps on Google Play. Our results show that there is a clear interplay between timing and rationales on users' permission decisions and the evaluation of their decisions, making the effect of rationales stronger when shown upfront and limiting the effect of timing when rationales are present. We therefore suggest adaptation to the available guidelines. We also find that permission decisions depend on the individuality of users, indicating that there is no one-fits-all permission request strategy, upon we suggest better individual support and outline one possible solution.
Open Access Media
USENIX is committed to Open Access to the research presented at our events. Papers and proceedings are freely available to everyone once the event begins. Any video, audio, and/or slides that are posted after the event are also free and open to everyone. Support USENIX and our commitment to Open Access.
author = {Yusra Elbitar and Michael Schilling and Trung Tin Nguyen and Michael Backes and Sven Bugiel},
title = {Explanation Beats Context: The Effect of Timing \& Rationales on Users{\textquoteright} Runtime Permission Decisions},
booktitle = {30th USENIX Security Symposium (USENIX Security 21)},
year = {2021},
isbn = {978-1-939133-24-3},
pages = {785--802},
url = {https://www.usenix.org/conference/usenixsecurity21/presentation/elbitar},
publisher = {USENIX Association},
month = aug
}