Assigning risk scores to apps may slow down unwarranted access to
personal information
October 28, 2014
What
information is beaming from your mobile phone over various computer networks
this very second without you being aware of it?
Experts say
your contact lists, email messages, surfed webpages, browsing histories, usage
patterns, online purchase records and even password protected accounts may all
be sharing data with intrusive and sometimes malicious applications, and you
may have given permission.
"Smartphones
and tablets used by today's consumers include many kinds of sensitive
information," says Ninghui Li, a professor of Computer Science at Purdue
University in Indiana.
The apps
downloaded to them can potentially track a user's locations, monitor his or her
phone calls and even monitor the messages a user sends and receives--including
authentication messages used by online banking and other sites, he says,
explaining why unsecured digital data are such a big issue.
Li, along
with Robert Proctor and Luo Si, also professors at Purdue, lead a National
Science Foundation (NSF)-funded project "User-Centric Risk Communication
and Control on Mobile Devices," that investigates computer security. The
work pays special attention to user control of security
features in mobile systems.
Li, Proctor
and Si believe they may have a simple solution for users, who unknowingly allow
voluntary access to their personal data.
Most users pay little attention
"Although
strong security measures
are in place for most mobile systems," they write in a recent report inthe
journal IEEE Transactions on Dependable and Secure Computing, "the area
where these systems often fail is the reliance on the user to make decisions
that impact the security of a device."
Most users
pay little attention, say the researchers, to unwanted access to their personal
information. Instead, they have become habituated to ignore security warnings
and tend to consent to all app permissions.
"If
users do not understand the warnings or their consequences, they will not
consider them," says Proctor, a Distinguished Professor of psychological
sciences at Purdue.
"If
users do not associate violations of the warnings with bad consequences of
their actions, they will likely ignore them," adds Jing Chen, a psychology
Ph.D. student who works on the project.
In addition,
there are other influences that contribute to users ignoring security warnings.
In the case of Android app permissions, of which there are more than 200, many
do not make sense to the average user or at best require time and considerable
mental effort to comprehend.
"Permissions
are not the only factor in users' decisions," says Si, an associate
professor of Computer Science at Purdue, who also led research on a paper with
Li that analyzed app reviews.
"Users
also look at average ratings, number of downloads and user comments," Si
says. "In our studies, we found that there exist correlations between the
quality of an app and the average rating from users, as well as the ratio of
negative comments about security
and privacy."
"This
is a classic example of the links between humans and technology," says
Heng Xu, program director in the Secure and Trustworthy Cyberspace program in
NSF's Social, Behavioral and Economic Sciences Directorate. "The Android
smartphones studied by this group of scientists reveals the great need to
understand human perception as it relates to their own privacy and
security."
"The
complexity of modern access control mechanisms in smartphones can confuse even
security experts," says Jeremy Epstein, lead program director for the
Secure and Trustworthy Cyberspace program in NSF's Directorate for Computer and
Information Science and Engineering, which funded the research.
"Safeguards
and protection mechanisms that protect privacy and personal security must be
usable by all smartphone users, to avoid the syndrome of just clicking 'yes' to
get the job done. The SaTC program encourages research like Dr. Li's and
colleagues that helps address security usability challenges."
No comments:
Post a Comment