User Study on Android Permissions

The goal of the study is to understand how many users care about different permissions requested by android apps. It will shed lights on how sensitive users are to permissions like GPS location and how likely malware can take advantage of users' behaviors to launch various attacks.

The methodology is as follows. We create two same exact apps. The only difference is that one request one or more additional permission(s). If users care about the permission(s) asked, they may choose the alternative one with less permission requirements.

There are many factors that can impact users' decision on choosing apps. Below are a few: 1. The order in which they are displayed. 2. The review and comments. For 1, since we can control the order of these two apps, we always make the app that has request more permissions on top. That way, if a user does not care about the asked permission(s), or any permission. He or she may choose to download the first one encountered, no matter if there is an alternative one right below it. Otherwise, a careful user may choose the second one. We also publish two apps with same permissions which serve as the baseline measuring how users choose apps when two apps are the same (most users go for the first one). For 2, we always closely monitor the review and comments on both of the apps, if one gets a good comment, we immediately copy the exact same comments over onto the other app.

The permission we study include:

1. Coarse-grained location.

2. Fine-grained location (GPS).

3. Contact list.

4. Read SMS.

5. Send SMS.

6. Make phone calls.

7. Make priv phone calls.

8. Record audio.

Our initial results show that READ_CONTACTS is the most sensitive permission that many users do not want the app to have.

2004-2010 RobustNet Research Group, University of Michigan, Ann Arbor, MI