Schneier on Security
A blog covering security and security technology.
« Automobile Security Analysis |
| Friday Squid Blogging: Squid Desktop »
May 21, 2010
Applications Disclosing Required Authority
This is an interesting piece of research evaluating different user interface designs by which applications disclose to users what sort of authority they need to install themselves. Given all the recent concerns about third-party access to user data on social networking sites (particularly Facebook), this is particularly timely research.
We have provided evidence of a growing trend among application platforms to disclose, via application installation consent dialogs, the resources and actions that applications will be authorized to perform if installed. To improve the design of these disclosures, we have have taken an important first step of testing key design elements. We hope these findings will assist future researchers in creating experiences that leave users feeling better informed and more confident in their installation decisions.
Within the admittedly constrained context of our laboratory study, disclosure design had surprisingly little effect on participants' ability to absorb and search information. However, the great majority of participants preferred designs that used images or icons to represent resources. This great majority of participants also disliked designs that used paragraphs, the central design element of Facebook's disclosures, and outlines, the central design element of Android's disclosures.
Posted on May 21, 2010 at 1:17 PM
• 9 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
Leaving this to the application is of course insane anyway.
JD is exactly correct: this is not a task for the application. Rather it is functionality the OS should provide to the user.
I grumble every time I have to escalate an installation process to administrative mode so that it can install itself. Instead I should be telling the OS what the application I'm installing should be allowed to do.
Being told what permissions an application wants is great, but if it asks for a permission you don't want to give it, you don't really have any alternative. But in many cases, good alternatives would be possible if the operating system/platform would provide them. For example, if an app wanted access to your location, you could specify a fake location to give it instead; if it wants access to the filesystem, you could give it an empty sandbox to write to instead; if it wants to call home, you could lie to it and say your network connection is down.
On Android, apps have to specify their needed permissions, which will be shown at installation time. This is enforced by the OS, and apps cannot gain other permissions later. Of course, this is by design and assuming a correctly implemented OS.
There is also a proposal to adapt the installation routine to allow users to individually remove requested permissions (see ASIACCS 2009).
FWIW, the OLPC had a thorough system for allowing/disallowing specific permissions for software as well (eg, things like allowing access to camera, etc).
What's really interesting:
They spend a lot of time and effort to measure how easy users can absorbe the presented decision dialogs depending on the design of the user interface. The predictable outcome: it doesn't matter much.
What they don't ask:
Do the users understand the implications of their decisions? Concerning this study they obviously couldn't because there was no aplication behind the UI and nobody can know what will be done with the resources. But from my experiance with many software users can hardly know what the software will do with their information as well.
Instead of continuing this pointless discussion about the design of user interfaces it would be time to face the real challenge: How can we give users with different degrees of computer skills *control* over this highly complex system.
P.S.: Sorry, I just read: two out of the three researchers are from Microsoft. So forgett about the last question.
"We hope these findings will assist future researchers in creating experiences that leave users feeling better informed and more confident in their installation decisions. "
"feeling better informed". it's all about appearances. Giving a false sense of knowledge and a false sense of security.
Presenting this information, that the average user don't understand and can't do anything about anyway, allows the distributors to escape responsibility.
It's about creating immunity from responsibility for distributors by appearing to transferring that responsibility to users while in fact they don't have any power at all.
The "creating experiences" phrase tell all. Advertising speech that means nothing. Credible research is not!
I have to agree - we know from a technical point of view how to do sandboxing. That's the easy part. Especially supporting the features jimrandomh wants - essentially lying to the application.
I think it's high time we figure out how to make these features work for end-users. But does this require us to actually implement something, the chicken-n-egg problem?
The issue from a developer's perspective is that he wants to provide the best experience possible. On a phone, if the user decides to arbitrarily allow some and not other permissions that the app requests at install time, then the app will most likely be crippled and leave the user disappointed or at least missing out on major pieces of functionality. If the user knew this was the direct result of his/her decision not to allow the app access to all the resources it initially requested, that'd be find; but as others have said, the majority of users will not understand the result of their choice to grant permissions at install time, thus leaving them with the impression that it is a poorly designed/built app, when the reality is that the user him/herself has simply crippled it. In the mobile app world, where positive reviews drive downloads and thus revenue for developers, this can be a big problem.
The problem with doing as jimrandomh said, and not allowing network access for the app to phone home, is that many developers implement some kind of license double-check to provide another layer of security against piracy. Especially on phones that make it absurdly easy to pirate apps *cough Android cough*, this is additional important functionality to developers. If a user were given the option to restrict an app's ability to phone home, then many developers would simply make it so the app didn't function at all until activated via phoning-home. So the attempt at increased security would again simply leave the end-user in the worst position of all involved, since s/he would be left unable to use the app.
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.