security reading group - umiacsdvotipka/misc/apptracersrg.pdf · security reading group schedule:...
TRANSCRIPT
![Page 1: SECURITY READING GROUP - UMIACSdvotipka/misc/AppTracerSRG.pdf · SECURITY READING GROUP Schedule: talks.cs.umd.edu/lists/19 Today’s Talk: User Interaction and Permission Use on](https://reader035.vdocuments.us/reader035/viewer/2022070817/5f131c98356aa21b565c634c/html5/thumbnails/1.jpg)
SECURITY READING GROUPSchedule: talks.cs.umd.edu/lists/19 Today’s Talk: User Interaction and Permission Use on Android - Daniel Votipka
Upcoming Talks: Helping Johnny to Analyze Malware: A Usability-Optimized Decompiler and Malware Analysis User Study - Kristopher Micinski 3450 A.V. Williams 22 Feb @ 1:00pm
Information Flow Security in Practical Systems - Limin Jia, CMU 3460 A.V. Williams 3 Mar @ 11:00am
Signup: http://ter.ps/d7k 1
![Page 2: SECURITY READING GROUP - UMIACSdvotipka/misc/AppTracerSRG.pdf · SECURITY READING GROUP Schedule: talks.cs.umd.edu/lists/19 Today’s Talk: User Interaction and Permission Use on](https://reader035.vdocuments.us/reader035/viewer/2022070817/5f131c98356aa21b565c634c/html5/thumbnails/2.jpg)
User Interactions and Permission Use on Android
Daniel Votipka University of Maryland
![Page 3: SECURITY READING GROUP - UMIACSdvotipka/misc/AppTracerSRG.pdf · SECURITY READING GROUP Schedule: talks.cs.umd.edu/lists/19 Today’s Talk: User Interaction and Permission Use on](https://reader035.vdocuments.us/reader035/viewer/2022070817/5f131c98356aa21b565c634c/html5/thumbnails/3.jpg)
Android Permissions
• Permissions guard access to sensitive resources
• Per-app tokens that allow app to access data
• Authorized at install time
• Newer versions: on first use of resource
![Page 4: SECURITY READING GROUP - UMIACSdvotipka/misc/AppTracerSRG.pdf · SECURITY READING GROUP Schedule: talks.cs.umd.edu/lists/19 Today’s Talk: User Interaction and Permission Use on](https://reader035.vdocuments.us/reader035/viewer/2022070817/5f131c98356aa21b565c634c/html5/thumbnails/4.jpg)
Android Permissions
• Permissions guard access to sensitive resources
• Per-app tokens that allow app to access data
• Authorized at install time
• Newer versions: on first use of resource
![Page 5: SECURITY READING GROUP - UMIACSdvotipka/misc/AppTracerSRG.pdf · SECURITY READING GROUP Schedule: talks.cs.umd.edu/lists/19 Today’s Talk: User Interaction and Permission Use on](https://reader035.vdocuments.us/reader035/viewer/2022070817/5f131c98356aa21b565c634c/html5/thumbnails/5.jpg)
Invasive Notifications
Transparency of Access
All permission systems make choices to balance invasiveness with transparency
![Page 6: SECURITY READING GROUP - UMIACSdvotipka/misc/AppTracerSRG.pdf · SECURITY READING GROUP Schedule: talks.cs.umd.edu/lists/19 Today’s Talk: User Interaction and Permission Use on](https://reader035.vdocuments.us/reader035/viewer/2022070817/5f131c98356aa21b565c634c/html5/thumbnails/6.jpg)
Integrate Permissions w/ UI• UI deeply informs user’s mental model of behavior
• Hypothesis: Achieve better balance by integrating UI
• Complementary studies measure this
• App study: determine when top apps access resources
• User study: study how interaction affects expectation
![Page 7: SECURITY READING GROUP - UMIACSdvotipka/misc/AppTracerSRG.pdf · SECURITY READING GROUP Schedule: talks.cs.umd.edu/lists/19 Today’s Talk: User Interaction and Permission Use on](https://reader035.vdocuments.us/reader035/viewer/2022070817/5f131c98356aa21b565c634c/html5/thumbnails/7.jpg)
App Study• When do top apps access resources?
• Dynamic analysis / visualization
• Show when access happens in context of app UI
• Assemble codebook to categorize patterns
• 150 top apps from Google Play
![Page 8: SECURITY READING GROUP - UMIACSdvotipka/misc/AppTracerSRG.pdf · SECURITY READING GROUP Schedule: talks.cs.umd.edu/lists/19 Today’s Talk: User Interaction and Permission Use on](https://reader035.vdocuments.us/reader035/viewer/2022070817/5f131c98356aa21b565c634c/html5/thumbnails/8.jpg)
• Dynamic analysis tool to classify resource uses
• Collects logs from instrumented app
• Log method entries / exits via binary rewriting
• Manually explore app to collect logs
• Generates event graph from logs
![Page 9: SECURITY READING GROUP - UMIACSdvotipka/misc/AppTracerSRG.pdf · SECURITY READING GROUP Schedule: talks.cs.umd.edu/lists/19 Today’s Talk: User Interaction and Permission Use on](https://reader035.vdocuments.us/reader035/viewer/2022070817/5f131c98356aa21b565c634c/html5/thumbnails/9.jpg)
• Log UI-relevant and permissions-relevant calls
• Uses PScout, maps API calls to permissions
• Log method names and parameters / return values
• Bookkeeping info: threads, screenshots, etc…
• Extends Redexer, Android rewriter we developed
[Au et al. CCS-2012]
![Page 10: SECURITY READING GROUP - UMIACSdvotipka/misc/AppTracerSRG.pdf · SECURITY READING GROUP Schedule: talks.cs.umd.edu/lists/19 Today’s Talk: User Interaction and Permission Use on](https://reader035.vdocuments.us/reader035/viewer/2022070817/5f131c98356aa21b565c634c/html5/thumbnails/10.jpg)
public class HomeActivity { public class DoTask { public void run() { Location l = LocManager.getLastLoc(); // ... String n = TelManager.getLine1Number(); // ... public void onCreate(Bundle b) { // ... findCoffeeButton.setOnClickListener( new View.OnClickListener() { public void onClick(int id) { DoTaskThread t = new DoTaskThread(); t.start(); }); } } } }
![Page 11: SECURITY READING GROUP - UMIACSdvotipka/misc/AppTracerSRG.pdf · SECURITY READING GROUP Schedule: talks.cs.umd.edu/lists/19 Today’s Talk: User Interaction and Permission Use on](https://reader035.vdocuments.us/reader035/viewer/2022070817/5f131c98356aa21b565c634c/html5/thumbnails/11.jpg)
public class HomeActivity { public class DoTask { public void run() { logEnt("run"); logEnt(“Loc...getLastLoc"); Location l = LocManager.getLastLoc(); logExit("Loc...getLastLoc", l); // ... logEnt("Tel...getLine1Number"); String n = TelManager.getLine1Number(); logExit("Tel...getLine1Number", n); } } // ... logExit("run"); public void onCreate(Bundle b) { logEnt(“HomeAc...onCreate",this,b); // ... findCoffeeButton.setOnClickListener( new View.OnClickListener() { public void onClick(int id) { logEnt("onClick"); DoTaskThread t = new DoTaskThread(); logThreadStart(t); t.start(); logExit("onClick"); }); logExit(“HomeActivity.onCreate”); } } } }
public class HomeActivity { public class DoTask { public void run() { Location l = LocManager.getLastLoc(); // ... String n = TelManager.getLine1Number(); // ... public void onCreate(Bundle b) { // ... findCoffeeButton.setOnClickListener( new View.OnClickListener() { public void onClick(int id) { DoTaskThread t = new DoTaskThread(); t.start(); }); } } } }
Redexer
![Page 12: SECURITY READING GROUP - UMIACSdvotipka/misc/AppTracerSRG.pdf · SECURITY READING GROUP Schedule: talks.cs.umd.edu/lists/19 Today’s Talk: User Interaction and Permission Use on](https://reader035.vdocuments.us/reader035/viewer/2022070817/5f131c98356aa21b565c634c/html5/thumbnails/12.jpg)
Run Apppublic class HomeActivity { public class DoTask { public void run() { logEnt("run"); logEnt(“Loc...getLastLoc"); Location l = LocManager.getLastLoc(); logExit("Loc...getLastLoc", l); // ... logEnt("Tel...getLine1Number"); String n = TelManager.getLine1Number(); logExit("Tel...getLine1Number", n); } } // ... logExit("run"); public void onCreate(Bundle b) { logEnt(“HomeAc...onCreate",this,b); // ... findCoffeeButton.setOnClickListener( new View.OnClickListener() { public void onClick(int id) { logEnt("onClick"); DoTaskThread t = new DoTaskThread(); logThreadStart(t); t.start(); logExit("onClick"); }); logExit(“HomeActivity.onCreate”); } } } }
![Page 13: SECURITY READING GROUP - UMIACSdvotipka/misc/AppTracerSRG.pdf · SECURITY READING GROUP Schedule: talks.cs.umd.edu/lists/19 Today’s Talk: User Interaction and Permission Use on](https://reader035.vdocuments.us/reader035/viewer/2022070817/5f131c98356aa21b565c634c/html5/thumbnails/13.jpg)
> HomeActivity.onCreate()< HomeActivity.onCreate()> onClick(id = <"Find Coffee">)> Thread start(id = 323)< onClick()> (323) DoTask.run()> (323) LocManager.getLastLoc()< (323) LocManager.getLastLoc(Loc=<...>)> (323) TelManager.getLine1Number()< (323) LocManager.getLine1Number("...")< (323) DoTask.run()> HomeActivity.onStop()< HomeActivity.onStop()
Run Apppublic class HomeActivity { public class DoTask { public void run() { logEnt("run"); logEnt(“Loc...getLastLoc"); Location l = LocManager.getLastLoc(); logExit("Loc...getLastLoc", l); // ... logEnt("Tel...getLine1Number"); String n = TelManager.getLine1Number(); logExit("Tel...getLine1Number", n); } } // ... logExit("run"); public void onCreate(Bundle b) { logEnt(“HomeAc...onCreate",this,b); // ... findCoffeeButton.setOnClickListener( new View.OnClickListener() { public void onClick(int id) { logEnt("onClick"); DoTaskThread t = new DoTaskThread(); logThreadStart(t); t.start(); logExit("onClick"); }); logExit(“HomeActivity.onCreate”); } } } }
![Page 14: SECURITY READING GROUP - UMIACSdvotipka/misc/AppTracerSRG.pdf · SECURITY READING GROUP Schedule: talks.cs.umd.edu/lists/19 Today’s Talk: User Interaction and Permission Use on](https://reader035.vdocuments.us/reader035/viewer/2022070817/5f131c98356aa21b565c634c/html5/thumbnails/14.jpg)
• Interprets log to assemble event graph of program
• Nodes are UI/permissions-relevant events
• Identified by method names
• Edge between nodes when one happens before another
• Also partial model of system (activities, services, etc..)
• Nodes are enclosed in boxes representing app activities
![Page 15: SECURITY READING GROUP - UMIACSdvotipka/misc/AppTracerSRG.pdf · SECURITY READING GROUP Schedule: talks.cs.umd.edu/lists/19 Today’s Talk: User Interaction and Permission Use on](https://reader035.vdocuments.us/reader035/viewer/2022070817/5f131c98356aa21b565c634c/html5/thumbnails/15.jpg)
> HomeActivity.onCreate()< HomeActivity.onCreate()> onClick(id = <"Find Coffee">)> Thread start(id = 323)< onClick()> (323) DoTask.run()> (323) LocManager.getLastLoc()< (323) LocManager.getLastLoc(Loc=<...>)> (323) TelManager.getLine1Number()< (323) LocManager.getLine1Number("...")< (323) DoTask.run()> HomeActivity.onStop()< HomeActivity.onStop()
![Page 16: SECURITY READING GROUP - UMIACSdvotipka/misc/AppTracerSRG.pdf · SECURITY READING GROUP Schedule: talks.cs.umd.edu/lists/19 Today’s Talk: User Interaction and Permission Use on](https://reader035.vdocuments.us/reader035/viewer/2022070817/5f131c98356aa21b565c634c/html5/thumbnails/16.jpg)
> HomeActivity.onCreate()< HomeActivity.onCreate()> onClick(id = <"Find Coffee">)> Thread start(id = 323)< onClick()> (323) DoTask.run()> (323) LocManager.getLastLoc()< (323) LocManager.getLastLoc(Loc=<...>)> (323) TelManager.getLine1Number()< (323) LocManager.getLine1Number("...")< (323) DoTask.run()> HomeActivity.onStop()< HomeActivity.onStop()
![Page 17: SECURITY READING GROUP - UMIACSdvotipka/misc/AppTracerSRG.pdf · SECURITY READING GROUP Schedule: talks.cs.umd.edu/lists/19 Today’s Talk: User Interaction and Permission Use on](https://reader035.vdocuments.us/reader035/viewer/2022070817/5f131c98356aa21b565c634c/html5/thumbnails/17.jpg)
• Define classification system for resource uses
• Initial codebook based off knowledge of apps
• Refined codebook iteratively by coding sets of five apps (20 apps total)
• Six unique codes representing patterns in apps
![Page 18: SECURITY READING GROUP - UMIACSdvotipka/misc/AppTracerSRG.pdf · SECURITY READING GROUP Schedule: talks.cs.umd.edu/lists/19 Today’s Talk: User Interaction and Permission Use on](https://reader035.vdocuments.us/reader035/viewer/2022070817/5f131c98356aa21b565c634c/html5/thumbnails/18.jpg)
Code DefinitionsClick
• Directly after click on related UI element
Page• Throughout the duration of a
related activity
Click
![Page 19: SECURITY READING GROUP - UMIACSdvotipka/misc/AppTracerSRG.pdf · SECURITY READING GROUP Schedule: talks.cs.umd.edu/lists/19 Today’s Talk: User Interaction and Permission Use on](https://reader035.vdocuments.us/reader035/viewer/2022070817/5f131c98356aa21b565c634c/html5/thumbnails/19.jpg)
Code DefinitionsStartup
• After startup but before first activity
Bg-App• When app in foreground, but
not directly because of related UI event
Bg-Ext• In response to system event
(app not necessarily on screen)
Startup
Bg-Ext
![Page 20: SECURITY READING GROUP - UMIACSdvotipka/misc/AppTracerSRG.pdf · SECURITY READING GROUP Schedule: talks.cs.umd.edu/lists/19 Today’s Talk: User Interaction and Permission Use on](https://reader035.vdocuments.us/reader035/viewer/2022070817/5f131c98356aa21b565c634c/html5/thumbnails/20.jpg)
Code DefinitionsUncertain
• When AppTracer not precise enough for us to say
Uncertain
![Page 21: SECURITY READING GROUP - UMIACSdvotipka/misc/AppTracerSRG.pdf · SECURITY READING GROUP Schedule: talks.cs.umd.edu/lists/19 Today’s Talk: User Interaction and Permission Use on](https://reader035.vdocuments.us/reader035/viewer/2022070817/5f131c98356aa21b565c634c/html5/thumbnails/21.jpg)
Study Mechanics• Downloaded top 20 free-apps from 27 Google Play
categories -> 503 unique apps
• Randomly selected 150 apps to test with the following exclusions: • Redexer failed to rewrite 48 apps • 23 apps would not run in modified form • 16 apps required accounts that could not be
easily acquired (e.g. bank account)
![Page 22: SECURITY READING GROUP - UMIACSdvotipka/misc/AppTracerSRG.pdf · SECURITY READING GROUP Schedule: talks.cs.umd.edu/lists/19 Today’s Talk: User Interaction and Permission Use on](https://reader035.vdocuments.us/reader035/viewer/2022070817/5f131c98356aa21b565c634c/html5/thumbnails/22.jpg)
Limitations
• Dynamic analysis does not cover all possible execution paths
• Redexer could miss pertinent method calls
• Imprecision introduced by AppTracer visualization
• We only test on popular apps
![Page 23: SECURITY READING GROUP - UMIACSdvotipka/misc/AppTracerSRG.pdf · SECURITY READING GROUP Schedule: talks.cs.umd.edu/lists/19 Today’s Talk: User Interaction and Permission Use on](https://reader035.vdocuments.us/reader035/viewer/2022070817/5f131c98356aa21b565c634c/html5/thumbnails/23.jpg)
App Study Results
![Page 24: SECURITY READING GROUP - UMIACSdvotipka/misc/AppTracerSRG.pdf · SECURITY READING GROUP Schedule: talks.cs.umd.edu/lists/19 Today’s Talk: User Interaction and Permission Use on](https://reader035.vdocuments.us/reader035/viewer/2022070817/5f131c98356aa21b565c634c/html5/thumbnails/24.jpg)
![Page 25: SECURITY READING GROUP - UMIACSdvotipka/misc/AppTracerSRG.pdf · SECURITY READING GROUP Schedule: talks.cs.umd.edu/lists/19 Today’s Talk: User Interaction and Permission Use on](https://reader035.vdocuments.us/reader035/viewer/2022070817/5f131c98356aa21b565c634c/html5/thumbnails/25.jpg)
Sensitive resources mainly used interactively
Legitimate outliers (e.g., taking pic of intruder)
![Page 26: SECURITY READING GROUP - UMIACSdvotipka/misc/AppTracerSRG.pdf · SECURITY READING GROUP Schedule: talks.cs.umd.edu/lists/19 Today’s Talk: User Interaction and Permission Use on](https://reader035.vdocuments.us/reader035/viewer/2022070817/5f131c98356aa21b565c634c/html5/thumbnails/26.jpg)
Mix interactive / non-interactive use
Frequently supported foreground use
![Page 27: SECURITY READING GROUP - UMIACSdvotipka/misc/AppTracerSRG.pdf · SECURITY READING GROUP Schedule: talks.cs.umd.edu/lists/19 Today’s Talk: User Interaction and Permission Use on](https://reader035.vdocuments.us/reader035/viewer/2022070817/5f131c98356aa21b565c634c/html5/thumbnails/27.jpg)
Mostly non-interactive use
Devs believe less sensitive?
Hard to explain to users?
![Page 28: SECURITY READING GROUP - UMIACSdvotipka/misc/AppTracerSRG.pdf · SECURITY READING GROUP Schedule: talks.cs.umd.edu/lists/19 Today’s Talk: User Interaction and Permission Use on](https://reader035.vdocuments.us/reader035/viewer/2022070817/5f131c98356aa21b565c634c/html5/thumbnails/28.jpg)
Mostly click-based interaction. Location used frequently for (e.g.,) maps
![Page 29: SECURITY READING GROUP - UMIACSdvotipka/misc/AppTracerSRG.pdf · SECURITY READING GROUP Schedule: talks.cs.umd.edu/lists/19 Today’s Talk: User Interaction and Permission Use on](https://reader035.vdocuments.us/reader035/viewer/2022070817/5f131c98356aa21b565c634c/html5/thumbnails/29.jpg)
User Expectation Survey• Do user expectations align with patterns used?
• H1. Users are more likely to expect resource access with an interactive use pattern than without
• H2. The more apps use resources, the more likely users are to expect background uses
• H3. Users are more likely to expect resource accesses they have seen before
![Page 30: SECURITY READING GROUP - UMIACSdvotipka/misc/AppTracerSRG.pdf · SECURITY READING GROUP Schedule: talks.cs.umd.edu/lists/19 Today’s Talk: User Interaction and Permission Use on](https://reader035.vdocuments.us/reader035/viewer/2022070817/5f131c98356aa21b565c634c/html5/thumbnails/30.jpg)
Blurb about what app does
![Page 31: SECURITY READING GROUP - UMIACSdvotipka/misc/AppTracerSRG.pdf · SECURITY READING GROUP Schedule: talks.cs.umd.edu/lists/19 Today’s Talk: User Interaction and Permission Use on](https://reader035.vdocuments.us/reader035/viewer/2022070817/5f131c98356aa21b565c634c/html5/thumbnails/31.jpg)
User Action: Click, Notification, or Background
Possibly show auth dialog(Could also occur at launch or never)
Note: this scenario about microphone
(Clk,Bn,Bg)
![Page 32: SECURITY READING GROUP - UMIACSdvotipka/misc/AppTracerSRG.pdf · SECURITY READING GROUP Schedule: talks.cs.umd.edu/lists/19 Today’s Talk: User Interaction and Permission Use on](https://reader035.vdocuments.us/reader035/viewer/2022070817/5f131c98356aa21b565c634c/html5/thumbnails/32.jpg)
Likert scale questions
![Page 33: SECURITY READING GROUP - UMIACSdvotipka/misc/AppTracerSRG.pdf · SECURITY READING GROUP Schedule: talks.cs.umd.edu/lists/19 Today’s Talk: User Interaction and Permission Use on](https://reader035.vdocuments.us/reader035/viewer/2022070817/5f131c98356aa21b565c634c/html5/thumbnails/33.jpg)
Asks about micOthers for distraction
Implicitly measures Bg use for location
![Page 34: SECURITY READING GROUP - UMIACSdvotipka/misc/AppTracerSRG.pdf · SECURITY READING GROUP Schedule: talks.cs.umd.edu/lists/19 Today’s Talk: User Interaction and Permission Use on](https://reader035.vdocuments.us/reader035/viewer/2022070817/5f131c98356aa21b565c634c/html5/thumbnails/34.jpg)
Ex: “which button would you press if you wanted to find a new
coffee shop and add it to your favorites?”
![Page 35: SECURITY READING GROUP - UMIACSdvotipka/misc/AppTracerSRG.pdf · SECURITY READING GROUP Schedule: talks.cs.umd.edu/lists/19 Today’s Talk: User Interaction and Permission Use on](https://reader035.vdocuments.us/reader035/viewer/2022070817/5f131c98356aa21b565c634c/html5/thumbnails/35.jpg)
Go back to home screen
![Page 36: SECURITY READING GROUP - UMIACSdvotipka/misc/AppTracerSRG.pdf · SECURITY READING GROUP Schedule: talks.cs.umd.edu/lists/19 Today’s Talk: User Interaction and Permission Use on](https://reader035.vdocuments.us/reader035/viewer/2022070817/5f131c98356aa21b565c634c/html5/thumbnails/36.jpg)
Is Mic still expected? Measures Bg use after foreground use
![Page 37: SECURITY READING GROUP - UMIACSdvotipka/misc/AppTracerSRG.pdf · SECURITY READING GROUP Schedule: talks.cs.umd.edu/lists/19 Today’s Talk: User Interaction and Permission Use on](https://reader035.vdocuments.us/reader035/viewer/2022070817/5f131c98356aa21b565c634c/html5/thumbnails/37.jpg)
Conditions StudiedApp Resource Authorization Int. Patterns
Coffee Mic First use Clk-Clk
Fitness Contacts Launch Clk-Bg
Location Never Bn-Bg
Bg-Bg
![Page 38: SECURITY READING GROUP - UMIACSdvotipka/misc/AppTracerSRG.pdf · SECURITY READING GROUP Schedule: talks.cs.umd.edu/lists/19 Today’s Talk: User Interaction and Permission Use on](https://reader035.vdocuments.us/reader035/viewer/2022070817/5f131c98356aa21b565c634c/html5/thumbnails/38.jpg)
Conditions StudiedApp Resource Authorization Int. Patterns
Coffee Mic First use Clk-Clk
Fitness Contacts Launch Clk-Bg
Location Never Bn-Bg
Bg-Bg
Chose three resources we believe representative
![Page 39: SECURITY READING GROUP - UMIACSdvotipka/misc/AppTracerSRG.pdf · SECURITY READING GROUP Schedule: talks.cs.umd.edu/lists/19 Today’s Talk: User Interaction and Permission Use on](https://reader035.vdocuments.us/reader035/viewer/2022070817/5f131c98356aa21b565c634c/html5/thumbnails/39.jpg)
Conditions StudiedApp Resource Authorization Int. Patterns
Coffee Mic First use Clk-Clk
Fitness Contacts Launch Clk-Bg
Location Never Bn-Bg
Bg-Bg
Only tested with Launch
![Page 40: SECURITY READING GROUP - UMIACSdvotipka/misc/AppTracerSRG.pdf · SECURITY READING GROUP Schedule: talks.cs.umd.edu/lists/19 Today’s Talk: User Interaction and Permission Use on](https://reader035.vdocuments.us/reader035/viewer/2022070817/5f131c98356aa21b565c634c/html5/thumbnails/40.jpg)
Conditions StudiedApp Resource Authorization Int. Patterns
Coffee Mic First use Clk-Clk
Fitness Contacts Launch Clk-Bg
Location Never Bn-Bg
Bg-Bg
![Page 41: SECURITY READING GROUP - UMIACSdvotipka/misc/AppTracerSRG.pdf · SECURITY READING GROUP Schedule: talks.cs.umd.edu/lists/19 Today’s Talk: User Interaction and Permission Use on](https://reader035.vdocuments.us/reader035/viewer/2022070817/5f131c98356aa21b565c634c/html5/thumbnails/41.jpg)
Study Mechanics• Mechanical Turk survey of 961 users
• Each user saw one scenario
• Paid $1 for survey, median time of ~5 minutes
• Tested 42 different scenarios
• Used round-robin assignment
![Page 42: SECURITY READING GROUP - UMIACSdvotipka/misc/AppTracerSRG.pdf · SECURITY READING GROUP Schedule: talks.cs.umd.edu/lists/19 Today’s Talk: User Interaction and Permission Use on](https://reader035.vdocuments.us/reader035/viewer/2022070817/5f131c98356aa21b565c634c/html5/thumbnails/42.jpg)
Statistical Analysis• Logistic regressions over Likert data
• Two regressions:
• First access (H1: how does interaction affect expectation, H2: Does the number of apps using a resource affect expectation)
• Second access (H3: how do prior accesses affect future expectation)
• Compared to baseline scenario, how much more likely are you to go up one ordinal point in scale?
• Baseline scenario: Coffee, Mic, Never, Bg-Bg
![Page 43: SECURITY READING GROUP - UMIACSdvotipka/misc/AppTracerSRG.pdf · SECURITY READING GROUP Schedule: talks.cs.umd.edu/lists/19 Today’s Talk: User Interaction and Permission Use on](https://reader035.vdocuments.us/reader035/viewer/2022070817/5f131c98356aa21b565c634c/html5/thumbnails/43.jpg)
Limitations
• We only use two mock apps
• Relatively short period between the first and second resource use
• Participants may not answer truthfully or may try to submit multiple responses
![Page 44: SECURITY READING GROUP - UMIACSdvotipka/misc/AppTracerSRG.pdf · SECURITY READING GROUP Schedule: talks.cs.umd.edu/lists/19 Today’s Talk: User Interaction and Permission Use on](https://reader035.vdocuments.us/reader035/viewer/2022070817/5f131c98356aa21b565c634c/html5/thumbnails/44.jpg)
Interactivity v. Expectation• H1 holds: more interactive the pattern, more likely user is to
expect access
• 106 times more expected for Click than Bg
• 4 times more expected for Notification than Bg
• Confidence intervals don’t overlap: Click > Bg
• Explicit authorization also shows significant increase
• First Use: 2.2 times as likely
• Launch: 1.9 times as likely
![Page 45: SECURITY READING GROUP - UMIACSdvotipka/misc/AppTracerSRG.pdf · SECURITY READING GROUP Schedule: talks.cs.umd.edu/lists/19 Today’s Talk: User Interaction and Permission Use on](https://reader035.vdocuments.us/reader035/viewer/2022070817/5f131c98356aa21b565c634c/html5/thumbnails/45.jpg)
Def YesProb YesUnsureProb NotDef Not
Bg
Bn
Clk
0 25 50 75 100Percent of participants
Likert Responses for First Use
Click much more expected, Bn too
![Page 46: SECURITY READING GROUP - UMIACSdvotipka/misc/AppTracerSRG.pdf · SECURITY READING GROUP Schedule: talks.cs.umd.edu/lists/19 Today’s Talk: User Interaction and Permission Use on](https://reader035.vdocuments.us/reader035/viewer/2022070817/5f131c98356aa21b565c634c/html5/thumbnails/46.jpg)
H1: Interactivity v. Expectation
• The more interactive the pattern, the more likely user is to expect access
• 106 times more expected for Click than Bg
• 4 times more expected for Notification than Bg
• Confidence intervals don’t overlap: Click > Bg
• Explicit authorization also shows significant increase
• First Use: 2.2 times as likely
• Launch: 1.9 times as likely
![Page 47: SECURITY READING GROUP - UMIACSdvotipka/misc/AppTracerSRG.pdf · SECURITY READING GROUP Schedule: talks.cs.umd.edu/lists/19 Today’s Talk: User Interaction and Permission Use on](https://reader035.vdocuments.us/reader035/viewer/2022070817/5f131c98356aa21b565c634c/html5/thumbnails/47.jpg)
H2: Real World Freq vs. Expectation
• Location was generally most expected
• Press, frequently seen in action bar, etc..?
• No significant difference between mic and contacts
• Mic uses were very unexpected without interaction
![Page 48: SECURITY READING GROUP - UMIACSdvotipka/misc/AppTracerSRG.pdf · SECURITY READING GROUP Schedule: talks.cs.umd.edu/lists/19 Today’s Talk: User Interaction and Permission Use on](https://reader035.vdocuments.us/reader035/viewer/2022070817/5f131c98356aa21b565c634c/html5/thumbnails/48.jpg)
H3: Effect of Prior Access• More likely to expect Bg access when prior event (Bn:
2.1, Lch: 1.7) indicated Bg use could occur
• Prior event of Click not significantly different from Bg
• First Use not significantly different from Never for second access
• First Use may condition users to expect a single access
• Authorizing location on first use: lower Bg expectation later!
![Page 49: SECURITY READING GROUP - UMIACSdvotipka/misc/AppTracerSRG.pdf · SECURITY READING GROUP Schedule: talks.cs.umd.edu/lists/19 Today’s Talk: User Interaction and Permission Use on](https://reader035.vdocuments.us/reader035/viewer/2022070817/5f131c98356aa21b565c634c/html5/thumbnails/49.jpg)
Design Recommendations
![Page 50: SECURITY READING GROUP - UMIACSdvotipka/misc/AppTracerSRG.pdf · SECURITY READING GROUP Schedule: talks.cs.umd.edu/lists/19 Today’s Talk: User Interaction and Permission Use on](https://reader035.vdocuments.us/reader035/viewer/2022070817/5f131c98356aa21b565c634c/html5/thumbnails/50.jpg)
Access Resources Interactively
• Camera, Mic, Media, Calendar: already interactive
• Some legitimate outliers, but users should be made aware of them
• We recommend these uses always be interactive
• E.g., enforce in market, audit outliers?
![Page 51: SECURITY READING GROUP - UMIACSdvotipka/misc/AppTracerSRG.pdf · SECURITY READING GROUP Schedule: talks.cs.umd.edu/lists/19 Today’s Talk: User Interaction and Permission Use on](https://reader035.vdocuments.us/reader035/viewer/2022070817/5f131c98356aa21b565c634c/html5/thumbnails/51.jpg)
Interaction Grants Authorization
• No need for explicit authorization after interactions
• “I just clicked ‘import contacts’! Why is it asking me again?”
• Minimize burden, more capacity for important decisions
• Ensure interactions are relevant
• Perhaps use tool like AppTracer to help audit?
• Access Control Gadgets [Ringer et al. CCS-2016]
![Page 52: SECURITY READING GROUP - UMIACSdvotipka/misc/AppTracerSRG.pdf · SECURITY READING GROUP Schedule: talks.cs.umd.edu/lists/19 Today’s Talk: User Interaction and Permission Use on](https://reader035.vdocuments.us/reader035/viewer/2022070817/5f131c98356aa21b565c634c/html5/thumbnails/52.jpg)
Separate Background Authorization
• Placing it near interactive use may fool users
• We recommend placing it on start
• Future work: understand types of background use
• Do users differentiate different background uses?
• Does frequency, information flow, etc… matter?
![Page 53: SECURITY READING GROUP - UMIACSdvotipka/misc/AppTracerSRG.pdf · SECURITY READING GROUP Schedule: talks.cs.umd.edu/lists/19 Today’s Talk: User Interaction and Permission Use on](https://reader035.vdocuments.us/reader035/viewer/2022070817/5f131c98356aa21b565c634c/html5/thumbnails/53.jpg)
Takeaways• Balance awareness vs. invasiveness by integrating UI
• Android heading in right direction
• But asks too often and not enough
• Most sensitive resources already used interactively
• Aligns with user expectations
• Interactive / background authorization should be separated
http://cs.umd.edu/~micinski/apptracer-2016.pdf