I recently ran two user studies to determine the effectiveness of Android permissions in practice. Our results are now available as a technical report: Android Permissions: Attention, Comprehension, Behavior. Android permissions are supposed to inform users of the risks of using applications. However, researchers have speculated that users ignore them. We decided to establish how well they actually work.
Here are our primary findings:
- Attention. In both a self-reported Internet survey and observational laboratory study, 17% of participants paid attention during a given installation. 42% of laboratory study participants were completely unaware of permissions.
- Comprehension. Only 3% of Internet survey respondents could correctly answer three multiple-choice comprehension questions. No lab study participants could correctly describe all of the permissions of familiar apps.
- Behavior. A majority of Internet survey respondents and 20% of lab study participants say they have decided not to install an app in the past because of its permissions.
We categorized 20% of the lab study participants as “power users”: they sometimes look at permissions and scored reasonably well on our comprehension test. It’s possible that a small fraction of “power users” could write negative reviews when they encounter troubling permission requests, thereby protecting other users.
Our studies identified several factors that contribute to the low attention and comprehension rates. Here are two of them:
- Permission categories widely confuse users. Permissions are sorted into categories, and the category labels are displayed in large text. For example, one warning has “Your personal information” in large text and “Read contact data” in small text. Although the permission only grants access to contacts, people see the heading and think it includes other types of personal information. The category headings are so broad that they cause users to overestimate the scope and risk of the requested permissions.
- Users cannot connect permission warnings to risks. Most of the warnings are resource-centric, like “full Internet access” and “read phone state and identity.” Users are left to decide on their own how the resources might be used, which causes them to underestimate or overestimate the risks of permissions.
If you’re interested in learning more about the studies, our paper contains our methodology, more results, and a longer discussion of the implications of our findings.