安卓权限：用户的注意力、理解和行为

Android Permissions: User Attention, Comprehension, and Behavior

Android’s permission system is intended to inform users about the risks of installing applications. When a user installs an application, he or she has the opportunity to review the application’s permission requests and cancel the installation if the permissions are excessive or objectionable. We examine whether the Android permission system is effective at warning users. In particular, we evaluate whether Android users pay attention to, understand, and act on permission information during installation. We performed two usability studies: an Internet survey of 308 Android users, and a laboratory study wherein we interviewed and observed 25 Android users. Study participants displayed low attention and comprehension rates: both the Internet survey and laboratory study found that 17% of participants paid attention to permissions during installation, and only 3% of Internet survey respondents could correctly answer all three permission comprehension questions. This indicates that current Android permission warnings do not help most users make correct security decisions. However, a notable minority of users demonstrated both awareness of permission warnings and reasonable rates of comprehension. We present recommendations for improving user attention and comprehension, as well as identify open challenges.

Android的权限系统旨在通知用户安装应用程序的风险。当用户安装应用程序时，如果权限过多或令人反感，则他有机会查看应用程序的权限请求并取消安装。我们检查Android权限系统是否对警告用户有效。特别是，我们评估Android用户在安装过程中是否注意，理解和处理权限信息。我们进行了两个可用性研究：对308个Android用户的互联网调查，以及一个实验室研究，其中我们访问并观察了25个Android用户。研究参与者显示低注意和理解率：互联网调查和实验室研究发现，17％的参与者在安装过程中注意到权限，只有3％的互联网调查受访者可以正确回答所有三个权限的理解问题。这表示当前的Android权限警告无法帮助大多数用户做出正确的安全决策。然而，显着少数的用户表现出对许可警告和合理的理解率的认识。我们提出了改善用户注意力和理解力的建议，以及确定开放挑战。

1. INTRODUCTION
Android supports a booming third-party application market. As of July 2011, the Android Market included more than 250,000 applications, which have been downloaded more than six billion times . Unfortunately, the growth in the Android platform has triggered the interest of unscrupulous application developers. Android grayware collects excessive amounts of personal information (e.g., for aggressive marketing campaigns), and alware harvests data or sends premium SMS messages for profit. Grayware and malware have both been found in the Android Market, and the rate of new malware is increasing over time .
Google does not review or restrict Android applications. Instead, Android uses permissions to alert users to privacy- or security-invasive applications. When a user initiates the process of installing an application, he or she is shown the list of permissions that the application requests. This list identifies all of the phone resources
that the application will have access to if it is installed. For example, an application with the SEND_SMS permission can send text messages, but an application without that permission cannot. If the user is not comfortable with the application’s permission requests, then he or she can cancel the installation. Users are not shown permissions at any time other than installation.
In this paper, we explore whether Android permissions are usable security indicators that fulfill their stated purpose: “inform the user of the capabilities [their] applications have” . We base our inquiryonWogalter’sCommunication-HumanInformation Processing (C-HIP) model, which provides a framework for structuring warning research . The C-HIP model identifies a set of steps between the delivery of a warning and the user’s final behavior. We connect each step with a research question:

1. Attention switch and maintenance. Do users notice permissions before installing an application? A user needs to switch focus from the primary task (i.e., installation) to the permission warnings, and she needs to focus on the permission warnings for long enough to read and evaluate them.
2. Comprehension and memory. Do users understand how permissions correspond to application risks? Users need to understand the scope and implications of permissions.
3. Attitudes and belief. Do users believe that permissions accurately convey risk? Do users trust the permission system to limit applications’ abilities?
4. Motivation. Are users motivated to consider permissions? Do users care about their phones’ privacy and security? Do they view applications as threats?
5. Behavior. Do permissions influence users’ installation decisions? Do users ever cancel installation because of permissions? Users should not install applications whose permissions exceed their comfort thresholds.

1.引言
Android支持繁荣的第三方应用市场。截至2011年7月，Android Market包含超过25万个应用程式，已下载超过60亿次。不幸的是，Android平台的增长已经引发了不道德的应用程序开发人员的兴趣。 Android灰色软件会收集过多的个人信息（例如，用于积极的营销活动），并会收集数据或发送溢价SMS短信以获取利润。在Android Market中发现了灰色软件和恶意软件，新的恶意软件的使用率也在不断增加。
Google不会审核或限制Android应用程式。相反，Android使用权限来警告用户隐私或安全侵入应用程序。当用户启动安装应用程序的过程时，他或她将显示应用程序请求的权限列表。此列表标识所有电话资源
如果它被安装，应用程序将有权访问。例如，具有SEND_SMS权限的应用程序可以发送短信，但没有该权限的应用程序不能。如果用户不满意应用程序的权限请求，则他或她可以取消安装。除安装之外，用户在任何时间都不显示权限。
在本文中，我们探讨Android权限是否是可用的安全性指标，以实现其声明的目的：“通知用户他们的应用程序的能力。我们的基础是查询Wogalter的通信 - 人类信息处理（C-HIP）模型，它提供了一个构建警告研究的框架。 C-HIP模型识别在警告传递和用户的最终行为之间的一组步骤。我们将每个步骤与一个研究问题连接：

1.注意开关和维护。用户在安装应用程序之前是否注意到权限？用户需要将焦点从主要任务（即安装）切换到权限警告，并且她需要关注权限警告足够长的时间来读取和评估它们。
2.理解和记忆。用户是否了解权限如何对应应用程序风险？用户需要了解权限的范围和影响。
3.态度和信念。用户是否认为权限准确地传达了风险？用户是否信任权限系统以限制应用程序的能力？
动机。用户是否积极考虑权限？用户关心他们手机的隐私和安全吗？他们将应用程序视为威胁吗？
5.行为。是否有权限影响用户的安装决策？用户是否因为权限而取消安装？用户不应安装权限超过其舒适阈值的应用程序。

Each step is critical: a failure of usability at any step will render all subsequent steps irrelevant.
Weperformedtwousabilitystudiestoaddresstheattention, comprehension, and behavior questions. First, we surveyed 308 Android users with an Internet questionnaire to collect data about their understanding and use of permissions. Next, we observed and interviewed 25 Android users in a laboratory study to gather nuanced data. The two studies serve to confirm and validate each other. We do not study attitudes or motivation because we find that most users fail to pass the attention and comprehension steps.
Our primary findings are:
• Attention. In both the Internet survey and laboratory study, 17% of participants paid attention to permissions during a given installation. At the same time, 42% of laboratory participants were unaware of the existence of permissions.
• Comprehension. Overall, participantsdemonstratedverylow rates of comprehension. Only 3% of Internet survey respon dents could correctly answer three comprehension questions. However, 24% of laboratory study participants demonstrated competent—albeit imperfect—comprehension.
• Behavior. A majority of Internet survey respondents claimed to have decided not to install an application because of its permissions at least once. Twenty percent of our laboratory study participants were able to provide concrete details about times that permissions caused them to cancel installation.

每个步骤是至关重​​要的：任何步骤的可用性的失败将使所有后续步骤无关。
Wingle形成的可能性研究添加注意力，理解和行为问题。首先，我们通过Internet调查问卷调查了308名Android用户，以收集有关他们对权限的理解和使用的数据。接下来，我们在实验室研究中观察和访谈了25名Android用户，以收集细微差别的数据。这两项研究有助于确认和验证彼此。我们不研究态度或动机，因为我们发现大多数用户未能通过注意和理解的步骤。
我们的主要发现是：
•注意。在互联网调查和实验室研究中，17％的参与者在给定的安装过程中注意了权限。同时，42％的实验室参与者不知道权限的存在。
•理解。总体而言，参与者表现出低的理解率。只有3％的互联网调查响应可以正确回答三个理解问题。然而，24％的实验室研究参与者表现出有能力的尽管不完全理解。
•行为。大多数互联网调查受访者声称已决定不安装应用程序，因为其权限至少一次。我们的实验室研究参与者中有百分之二十能够提供有关权限导致他们取消安装的时间的具体细节。

Our findings indicate that the Android permission system is neither a total success nor a complete failure. Due to low attention and comprehension rates, permissions alone do not protect most users from undesirable applications (i.e., malware or grayware).
However, a minority of laboratory study participants (20%) demonstrated awareness of permissions and reasonable rates of understanding (comprehension grades of 70% or higher). This minoritycould be sufficient to protect others if their opinions about application permissions could be successfully communicated via user reviews. We also found that some people have altered their behavior based on permissions, which demonstrates that users can be receptive to security and privacy warnings during installation.
Contributions. We contribute the following:
• Android permissions are intended to inform users about the risks of installing applications . We evaluate whether Android permissions are effective security indicators.
• Researchers have speculated that Android permission warnings are ignored by users . We perform two studies to investigate how people use permissions in practice; to our knowledge, we are the first to provide quantitative data.
• We explore the reasons why users do not pay attention to or understand Android permissions, and we identify specific problems with the way permissions are presented.

我们的研究结果表明，Android的权限系统既不是完全成功也不是完全失败。由于低的注意力和理解率，只有权限不能保护大多数用户不受不想要的应用程序（即恶意软件或灰色软件）的影响。
然而，少数实验室研究参与者（20％）表现出对权限的认识和理解的理解率（理解等级为70％或更高）。这个少数可能足以保护他人，如果他们对应用程序权限的意见可以通过用户评论成功传达。我们还发现一些人基于权限更改了他们的行为，这表明用户可以接受在安装过程中的安全和隐私警告。
贡献。我们提供以下：
•Android权限旨在通知用户安装应用程序的风险。我们评估Android权限是否是有效的安全指标。
•研究人员猜测，用户会忽略Android权限警告。我们进行两项研究，调查人们如何在实践中使用权限;据我们所知，我们是第一个提供定量数据的。
•我们探讨用户不注意或了解Android权限的原因，并且我们确定了权限提交方式的具体问题。

2. BACKGROUND AND RELATED WORK
In this section, we provide an overview of Android permissions and the installation process. We then present some of the relevant literature on smartphone privacy and the effectiveness of warnings.

2.背景和相关工作
在本节中，我们提供Android权限和安装过程的概述。 然后我们介绍一些关于智能手机隐私和警告的有效性的相关文献。

2.1 Android Permissions
In order to protect Android users, applications’ access to phone resources is restricted with permissions. An application must obtain permissions in order to use sensitive resources like the camera, microphone, or call log. For example, an application must have the READ_CONTACTS permission in order to read entries in a user’s phonebook. Android 2.2 defines 134 permissions.
Obtaining permissions is a two-step process. First, an application developer declares that his or her application requires certain permissions in a file that is packaged with the application. Second, the user must approve the permissions requested before installation. Each application has its own set of permissions that reflects its functionality and requirements. Users can weigh the permissions against their trust of the application and personal privacy concerns.
The official Android Market provides every application with two installation pages. The first installation page includes a description, user reviews, screenshots, and a “Download” button. After pressing “Download,” the user arrives at a final installation page that includes the application’s requested permissions (Figure 1). Permissions are displayed as a three-layer warning: a large heading that states each permission’s general category, a small label that describes the specific permission, and a hidden details dialog. If an application requests multiple permissions in the same category,
their labels will be grouped together under that category headingIf a user clicks on a permission, the details dialog opens. The details dialog may include examples of how malicious applications can abuse the permission (e.g., “Malicious applications can use this to send your data to other people”). The permission system gives users a binary choice: they can cancel the installation, or they can accept all of the permissions and proceed with installation. On most phones, Android users can also download applications from non-Google stores like the Amazon Appstore. When a user selects an application through an unofficial store, that store might not present permission information. However, Android’s installation system will always present the user with a permission page before the application is installed on the phone. Like the final installation page in the Android Market, the installer displays permissions as a multi-layer warning. This paper focuses on the Android Market’s installation process because the official Android Market is the primary distributor of Android applications.

2.1 Android权限
为了保护Android用户，应用程序对电话资源的访问权限受到了限制。应用程序必须获取权限才能使用敏感资源，如相机，麦克风或通话记录。例如，应用程序必须具有READ_CONTACTS权限才能读取用户电话簿中的条目。 Android 2.2定义了134个权限。
获取权限是一个两步过程。首先，应用程序开发人员声明他的或她的应用程序需要在与应用程序一起打包的文件中的某些权限。第二，用户必须在安装前批准请求的权限。每个应用程序都有自己的一组权限，以反映其功能和要求。用户可以权衡权限与他们对应用程序的信任和个人隐私问题。
官方Android Market为每个应用程序提供两个安装页面。第一个安装页面包括说明，用户评论，屏幕截图和“下载”按钮。在按下“下载”之后，用户到达包括应用程序请求的权限的最终安装页面（图1）。权限显示为三层警告：描述每个权限的常规类别的大标题，描述特定权限的小标签以及隐藏的详细信息对话框。如果应用程序在同一类别中请求多个权限，
其标签将在该类别标题下分组在一起，如果用户单击权限，则会打开详细信息对话框。详情对话框可能包括恶意应用程序如何滥用权限（例如，“恶意应用程序可以使用此功能将您的数据发送给其他人”）的示例。权限系统给用户一个二进制选择：他们可以取消安装，或者他们可以接受所有的权限，然后继续安装。在大多数手机上，Android用户还可以从非Google商店（如Amazon Appstore）下载应用程序。当用户通过非官方商店选择应用时，该商店可能不呈现许可信息。但是，Android的安装系统会在应用程序安装到手机上之前向用户显示权限页面。与Android Market中的最终安装页面类似，安装程序将权限显示为多层警告。本文重点介绍Android Market的安装过程，因为官方Android Market是Android应用程序的主要分销商。

Figure 1: On the left, a screenshot of the Android Market’s final installation page, displaying the application’s permission requests. On the right, the permission dialog that appears if a user clicks on a permission warning.

图1：左侧是Android Market最终安装页面的屏幕截图，显示了应用程序的权限请求。 在右侧，如果用户单击权限警告，则显示的权限对话框。

2.2 Smartphone Privacy
Past studies on smartphone users’ privacy concerns have primarily focused on location tracking and sharing .
Although location sharing is an important aspect of smartphone privacy, only 2 of 134 Android permissions pertain to location.
Concurrently, Roesner et al.  studied user expectations for location, copy-and-paste, camera, and SMS security. Our study encompasses all permissions and focuses on how users perceive the existing permission warnings.
Inconcurrentandindependentwork, Kelleyetal.performed twenty semi-structured interviews to explore Android users’ feelings about and understanding of permissions. However, the scope of our study is much broader: we collected large-scale quantitative results, performed an observational study, and experimentally measured comprehension with multiple metrics. Their study exclusively reported qualitative data and did not address attention or behavior. Additionally, we designed our study to identify specific problems with the way permissions are presented.
Android privacy researchers have built several tools to help users avoid privacy violations. Most research has focused on identifying malicious behavior , without considering how to help users make informed security decisions. However, two sets of researchers have focused on usability. Howell and Schechter proposed the creation of a sensor-access widget, which visually no tifies the user when a sensor like the camera is active. Roesner et al. proposed user-driven access control: rather than asking users to review warnings, this approach builds permission-granting into existing user actions. We focus on the usability of the existing system, rather than providing new tools or user interfaces.

2.2智能手机隐私
过去关于智能手机用户的隐私问题的研究主要集中在位置跟踪和共享。
虽然位置分享是智慧型手机隐私权的重要方面，但134个Android权限中只有2个与位置相关。
同时，Roesner et al。研究了用户对位置，复制和粘贴，摄像机和SMS安全性的期望。我们的研究包括所有权限，并专注于用户如何感知现有的权限警告。
不规则和独立工作，Kelleyetal执行了二十个半结构化访谈，以探索Android用户对权限的感受和理解。然而，我们的研究范围更广泛：我们收集大规模的定量结果，进行观察性研究，和实验测量多个指标的理解。他们的研究只报告定性数据，没有解决注意或行为。此外，我们设计了我们的研究，以确定具体的问题与权限的呈现方式。
Android隐私研究人员已经建立了几个工具来帮助用户避免隐私侵犯。大多数研究集中在识别恶意行为，而不考虑如何帮助用户做出明智的安全决策。然而，两组研究人员关注可用性。 Howell和Schechter提议创建一个传感器访问窗口小部件，当传感器（如相机）处于活动状态时，它不会对用户产生任何影响。 Roesner et al。建议的用户驱动访问控制：这种方法不会要求用户审查警告，而是建立对现有用户操作的权限授予。我们专注于现有系统的可用性，而不是提供新的工具或用户界面。

2.3 Warning Research
Wogalter proposed a model of how humans process warning messages, known as the Communication-Human Information Processing (C-HIP) model. The model formalizes the steps of a human’s experience between being shown a warning message and deciding whether or not to heed the warning. C-HIP assumes that the user is expected to immediately act upon the warning, which is appropriate for research on computer security dialogs. (Other researchers have focused on situations in which consumers need to recall warnings for later use.) Researchers in the area of usable security have begun to use Wogalter’s model to analyze the specific ways in which computer security dialogs can fail users.
Cranor used the C-HIP model as the basis for her “human in the loop” framework, which addresses problems for designers of interactive systems. Egelman et al. used the C-HIP model to examine the anti-phishing warnings used by two popular web browsers to determine how they could be improved. They recommended differentiating severe warnings from less severe ones, providing recommendations to the user, and eliminating jargon. Sunshine et al. performed a followup study using the C-HIP model to examine web browser certificate warnings. They concluded that warnings should be designed based on the severity of the threat model, and that it is important to take context into account when offering suggestions to the user. Some of these lessons could be applied to Android permission warnings to improve them.
The Facebook Platform’s security warnings are similar to Android’s, in that a permission dialog is triggered when a third-party application requests access to personal data. King et al. asked participants whether they noticed the permission dialog before entering their survey, and only a minority responded affirmatively. However, this result is not necessarily generalizable; the participants knew the survey application had been created by a privacy researcher, which likely decreased their interest in security indicators. They also presented survey participants with general comprehension questions about the Facebook platform, such as whether Facebook applications are created by Facebook. Half of participants were able to answer each of these questions correctly.
Technology users’ feelings about privacy are complicated and often contradictory. When asked directly about their privacy preferences, most surveys have found that people are very protective of their personal data. However, users’ actions do not always correspond to their professed preferences . This may be because users overestimate their privacy concerns or do not understand the ramifications of their actions (i.e., the user does not understand that the action violates his or her privacy preferences). As such, we design our inquiry into Android permissions to be robust to over-reporting of security concerns by directly observing users and asking questions about users’ past actions.

2.3警告研究
Wogalter提出了人类如何处理警告消息的模型，称为通信 - 人类信息处理（C-HIP）模型。该模型形式化了人类在显示警告消息和决定是否注意警告之间的经验的步骤。 C-HIP假定用户期望立即对警告进行操作，这适合于研究计算机安全对话。 （其他研究人员集中在消费者需要回忆的警告以供以后使用的情况下[30]。可用安全领域的研究人员已经开始使用Wogalter的模型来分析计算机安全对话失败用户的具体方式。
Cranor使用C-HIP模型作为她的“人在循环”框架的基础，其解决了交互系统的设计者的问题。 Egelman et al。使用C-HIP模型来检查两个流行的Web浏览器使用的防网络钓鱼警告，以确定如何改进它们。他们建议将严重警告与不太严重的警告区分开，向用户提供建议，并消除术语。 Sunshine等人使用C-HIP模型进行了后续研究以检查Web浏览器证书警告。他们的结论是，警告应该基于威胁模型的严重性设计，并且在向用户提供建议时考虑上下文是重要的。其中一些课程可以应用于Android权限警告，以改善它们。
Facebook Platform的安全警告与Android类似，因为当第三方应用程序请求访问个人数据时，会触发权限对话框。 King等人询问参与者是否在进入调查之前注意到权限对话框，只有少数人肯定地回答。然而，这个结果不一定是可推广的;参与者知道调查应用程序是由隐私研究者创建的，这可能会降低他们对安全指标的兴趣。他们还向调查参与者提供了关于Facebook平台的一般理解问题，例如Facebook应用程序是否由Facebook创建。一半的参与者能够正确地回答这些问题。
技术用户对隐私的感觉是复杂的，并且经常是矛盾的。当直接询问他们的隐私偏好时，大多数调查发现，人们非常保护他们的个人数据。然而，用户的行为并不总是对应于他们自己的偏好。这可能是因为用户高估了他们的隐私问题或者不理解他们的行为的后果（即，用户不明白该行为违反他或她的隐私偏好）。因此，我们设计了对Android权限的查询，以便通过直接观察用户并询问用户过去操作的问题来强化对安全问题的过度报告。

3. METHODOLOGY
We surveyed 308 Android users with an Internet survey and interviewed 25 Android users in a laboratory study. We designed the two studies to validate each other. We recruited Internet survey respondents with AdMob advertisements and laboratory study participants with Craigslist advertisements; although both recruitment procedures might introduce bias, it is unlikely that they introduced the same biases. We piloted our studies with 50 AdMob-recruited Internet respondents and interviews of acquaintances.

3.方法
我们通过互联网调查对308名Android用户进行了调查，并在实验室研究中访问了25名Android用户。 我们设计了两个研究以验证彼此。 我们通过AdMob广告和实验室研究参与者招募了具有Craigslist广告的互联网调查受访者; 虽然两种招聘程序都可能带来偏见，但是他们不太可能引入同样的偏见。 我们试用了50个AdMob招聘的互联网受访者和熟人的采访。

Figure 2: Screenshot of a quiz question from the Internet survey.  图2：来自互联网调查的测验问题的屏幕截图。

3.1 Internet Survey
In September 2011, we recruited Android users to answer an Internet survey about Android permissions. The purpose of this survey was to gauge how widely users understand and consider Android permissions. To recruit respondents, we commissioned an advertising campaign using AdMob’s Android advertising service.
Our advertisement was displayed in applications on Android devices in the U.S. and Canada. (The advertisement did not appear on web sites.) As an incentive to participate, each person who completed a survey received a free MP3 download from Amazon.com.
The advertisement included our university’s name and said, “Survey for free Amazon MP3.” We recruited people with AdMob advertisements because doing so restricted survey respondents to those using applications on Android devices.
We paid AdMob $0.116 per click and received 31,984 visitors, of which1,994(1%) began and 350(17.5%) completed the survey.
The rate at which people began the survey was likely influenced by the high rate of accidental clicks on advertisements on mobile devices and our request that only people age 18 and over take the survey. Among people who started the survey, the completion rate was likely influenced by the difficulty of completing a survey on a phone. We ran the advertisement for two hours, and respondents completed it in an average of seven minutes.
We filtered out respondents who (1) stated that they were under 18, (2) had non-Android user-agent strings, or (3) appeared to be duplicates based on their IP addresses and user-agent strings. This left us with 326 unique responses. We designed our survey to make cheating (i.e., false responses to receive the MP3) easy and obvious by making every question optional and providing an “I don’t know” option for each question. Survey responses fell into two distinct groups: responses in which all but two or three questions were complete, and responses in which only one or two questions were complete. (Complete questions are neither blank nor “I don’t know.”) We filtered out responses in the latter group. This resulted in a total of 308 valid responses. The 308 respondents reported that they were 50% male and 49% female, with the remainder declining to report their gender. Respondents indicated that their age distribution was: 28% between
the ages of 18 and 28, 28% between the ages of 29 and 39, 22% between the ages of 40 and 50, 15% between the ages of 51 and 61, and 5% over the age of 62. This age distribution is in line with Android age demographics [1], although the gender breakdown of our survey is more balanced than overall Android demographics.
The survey was nine pages long and meant to be completed on an Android smart phone. Each page filled a standard phone screen. We used the first three pages to ask respondents about Android usage information: how long they had owned an Android phone, from where they had downloaded Android applications, and the factors they considered when downloading applications. On each of the three subsequent pages, we randomly displayed 1 of 11 Android permission warnings and asked respondents to indicate what the permission allows the application to do. We gave respondents four
choices, in addition to “none of these” and “I don’t know.” We then asked respondents to complete the three Westin index questions, tell us about their past actions relating to Android permissions, and provide demographics information (age and gender).
Figure 2 depicts one of the quiz questions from the survey, and Table 3 lists the 11 quiz questions and choices. We designed the permission quiz questionsto include one completely incorrect choice and one choice to test fine-grained comprehension (e.g., whether they understood that a permission to read calendar events does not include the privilege to edit the calendar). The set of 11 quiz questions included two questions about the READ_SMS permission: one to test the distinction between reading and sending SMS messages, and another to test respondents’ familiarity with the “SMS” acronym.
Survey respondents received only one of these two related questions, so scores for the sequestions were independent of each other.  All of the quiz questions had one or two correct choices, with the exception of the question about the CAMERA permission. This permission controls the ability to take a new photograph or video recording; it does not control access to the photo library. However, we later discovered that all applications can view or edit the photo library without any permission. Consequently, the correct answer to the CAMERA permission question is to select all four choices.

3.1互联网调查
2011年9月，我们招募Android用户回答有关Android权限的互联网调查。这项调查的目的是衡量用户多么广泛地理解和考虑Android权限。要招募受访者，我们使用AdMob的Android广告服务委托了一个广告系列。
我们的广告已在美国和加拿大的Android设备上的应用中展示。 （广告没有出现在网站上）。作为参与的激励，完成调查的每个人都收到来自Amazon.com的免费MP3下载。
广告包括我们大学的名字，并说，“调查免费亚马逊MP3。”我们招募的人与AdMob广告，因为这样做限制调查受访者使用Android设备上的应用程序。
我们向AdMob支付了每次点击0.116美元，并接待了31,984名访问者，其中1,994（1％）已开始，350（17.5％）已完成调查。
人们开始进行调查的比率可能受到移动设备广告的意外点击率高的影响，以及我们的要求，即只有18岁及以上的人参加调查。在开始调查的人中，完成率可能受到在电话上完成调查的难度的影响。我们播放了广告两个小时，受访者平均完成了它七分钟。
我们过滤了（1）表示他们未满18岁，（2）有非Android用户代理字符串，或（3）根据其IP地址和用户代理字符串出现重复的受访者。这让我们有326个独特的反应。我们设计了我们的调查，使每个问题都是可选的，并为每个问题提供一个“我不知道”选项，以欺骗（即，接收MP3的错误反应）容易和明显。调查回答分为两个不同的组：其中除两个或三个问题之外的所有问题都完成的答复，以及只有一个或两个问题完成的答复。 （完整的问题既不是空白也不是“我不知道”。）我们过滤了后一组的回复。这导致总共308个有效响应。 308个受访者报告说，他们是50％的男性和49％的女性，其余的拒绝报告他们的性别。受访者表示他们的年龄分布为：28％
年龄在18和28岁之间，29岁至39岁之间为28％，40岁至50岁之间为22％，51岁至61岁之间为15％，62岁之间为5％。这种年龄分布符合Android年龄人口统计[1]，虽然我们的调查的性别细分比整体Android人口统计更平衡。
这项调查是9页的长，打算在Android智能手机上完成。每一页都填充了标准的手机屏幕。我们使用前三页向受访者询问Android使用信息：他们拥有Android手机的时间，他们下载Android应用程序的时间，以及他们在下载应用程序时考虑的因素。在随后的三个页面中，我们随机显示了11个Android权限警告中的1个，并要求受访者指出应用程序可以执行的权限。我们给受访者四个
选择，除了“没有这些”和“我不知道”。然后，我们要求受访者完成三个威斯汀指数问题，告诉我们他们过去的行动与Android权限，并提供人口统计信息（年龄和性别）。
图2描述了调查中的一个测验问题，表3列出了11个测验问题和选择。我们设计的权限测验问题包括一个完全不正确的选择和一个选择来测试细粒度的理解（例如，他们是否理解，读取日历事件的权限不包括编辑日历的权限）。 11个测验问题的集合包括关于READ_SMS权限的两个问题：一个测试阅读和发送SMS消息之间的区别，另一个测试受访者对“SMS”首字母缩写的熟悉。
调查受访者只收到这两个相关问题中的一个，因此隔离的分数彼此独立。所有测验问题有一两个正确的选择，除了关于CAMERA权限的问题。此权限控制拍摄新照片或视频录制的能力;它不控制对照片库的访问。然而，我们后来发现，所有应用程序可以查看或编辑照片库没有任何权限。因此，对CAMERA权限问题的正确答案是选择所有四个选择。

Figure 3: Screenshot of permissions on an application’s Settings page.图3：应用程序的“设置”页面上的权限的屏幕截图。

3.2 Laboratory Study
In October 2011, we recruited 25 local Android users for a laboratory study. The primary purpose of the laboratory study was to supplement the Internet survey with detailed and explanatory data. We also designed the attention and behavior portions of the interview to avoid any over-reporting problems that might have influenced the Internet survey.
To recruit participants, we posted a Craigslist ad for the San Francisco Bay Area. Our advertisement offered people $60 to participate in an hour-long interview about how they “choose and use Android applications.” In order to be eligible for the laboratory study, we required that participants owned an Android phone and used applications. We also asked study applicants to look at a screenshot and tell us whether they had the new or old version of the Android Market; we then secretly limited eligibility to users with the newer version of the Android Market. Google released a new version of the Market in August 2011, and not all phones had been upgraded yet. We decided to focus on users with the new version of the Market to reduce study variability. Our Craigslistad vertisement yielded 112 eligible participants. In order to match our participants’ ages to Android demographics, we grouped applicants by age and selected a random proportion of people from each age group. We scheduled interviews with 30 participants. Three people failed to attend and two people had technical problems with their phones, leaving us with 25 completed interviews (12 women and 13 men). The age distribution was close to overall Android age demographics by design, with 20% of participantsbetween18and24, 32%between25and34, 20%between35 and 44, 16% between 45 and 54, and 12% older than 55. None of the participants were affiliated with our institution, although some of the younger participants were students at other universities. Each interview took 30–60 minutes and had six parts:
1. General Android usage questions (e.g., how many applications they have installed).
2. Participants were instructed to find and install an application from the Android Market, using their own phones. We prompted them to install a “parking finder app that will help
[the user] locate your parked car.” This task served to confirm that participants were familiar with installing applications from the Android Market.
3. Participants were instructed to find and install a second application from the Android Market using their own phones.
We prompted them to:
Pretend you are a little short on cash, so you want to install a coupons app. You want to be ableto find coupons and sales for groceries, your favoriteelectronics, or clothes while you’re out shopping. If you already have a coupons app, pretend you don’t like it and want a new one.
All of the top-ranked applications for search terms related to this scenario had multiple permissions. During this application search process, we asked participants to tell us what they were thinking about while using the Market. We also observed what user interface elements they interacted with.
4. Westin index questions.
5. We asked participants about an application on their phone that they had installed and recently used. We then opened the application’s information page in Settings (Figure 3) and asked them to describe and explain the permissions. 
6. Weasked participants for specific details about past permission related behaviors, such as whether they have ever looked up permissions or decided not to install an application because of its permissions.
Two researchers performed each interview, with one acting as the interviewer and the other acting as a notetaker.
To promote a casual atmosphere, we held the interviews at a coffee shop and offered participants coffee, tea, or water. Participants used their own phones to encourage them to behave as they would in the real world. We made an effort to not prime participants to security or privacy concerns until the fourth task, at which point we specifically asked them about their attitudes towards privacy. We introduced ourselves as computer science students and did not reveal that we were security researchers until the end of the study.
We prevented participants from determining the security focus of the study in advance by posting the Craigslist advertisement in the name of a researcher with no online presence or prior publications.

3.2实验室研究
2011年10月，我们招募了25位本地Android用户进行实验室研究。实验室研究的主要目的是补充互联网调查的详细和解释性数据。我们还设计了面试的注意和行为部分，以避免任何可能影响互联网调查的过度报告问题。
为了招募参与者，我们为旧金山湾区发布了一个Craigslist广告。我们的广告为人们提供了60美元的参与一个长达一个小时的面试，他们如何“选择和使用Android应用程序”。为了有资格参加实验室研究，我们要求参与者拥有一个Android手机和使用的应用程序。我们还要求研究申请人查看屏幕截图，告诉我们他们是否有新版或旧版Android Market;我们随后秘密限制了使用较新版本Android Market的用户的资格。 Google于2011年8月发布了一个新版本的市场，并不是所有的手机都已升级。我们决定专注于新版本市场的用户，以减少研究的变异性。我们的Craigslistad视图产生了112个合格的参与者。为了将我们的参与者年龄与Android受众特征相匹配，我们按年龄对申请人进行分组，并从每个年龄组中选择随机比例的人。我们安排了30人参加面试。三个人未能出席，两个人的手机存在技术问题，我们完成了25个完成的访谈（12个女人和13个男人）。年龄分布接近Android设计年龄人口统计，20％的参与者在18和24之间，32％在25和34之间，20％在35和44之间，16％在45和54之间，和12％大于55。我们的机构，虽然一些年轻的参与者是在其他大学的学生。每次面试花了30-60分钟，有六个部分：
1.一般Android使用问题（例如，他们已安装了多少应用程式）。
2.指示参与者使用自己的手机从Android Market中查找并安装应用程序。我们提示他们安装一个“停车找到应用程序，将帮助
[用户]找到停放的汽车。“此任务确认参与者熟悉从Android Market安装应用程序。
3.指示参与者使用自己的手机从Android电子市场中查找并安装第二个应用程序。
我们促使他们：
假装你有一点点现金，所以你想安装一个优惠券应用程序。你想要在你出去购物的时候能够找到杂货，你最喜欢的电子产品或衣服的优惠券和销售。如果你已经有一个优惠券应用程序，假装你不喜欢它，想要一个新的。
与此场景相关的搜索字词的所有排名最前的应用程序都有多个权限。在这个应用程序搜索过程中，我们要求参与者告诉我们在使用市场时他们在想什么。我们还观察了他们交互的用户界面元素。
4.威斯汀指数问题。
5.我们向参与者询问他们在手机上的应用程序是否已安装并最近使用过。然后我们在“设置”中打开了应用程序的信息页面（图3），并要求他们描述和解释权限。
6.为参与者屏蔽过去权限相关行为的具体细节，例如他们是否已查找权限或决定不安装应用程序，因为其权限。
两名研究人员进行了每次访谈，一名作为访调员，另一名作为记者。
为了营造休闲氛围，我们在咖啡店进行了采访，并向参与者提供咖啡，茶或水。参与者使用自己的手机鼓励他们在现实世界中的行为。在第四个任务之前，我们努力不向参与者引导安全或隐私问题，在这一点上我们特别询问他们对隐私的态度。我们介绍了自己作为计算机科学的学生，没有透露我们是安全研究员，直到研究结束。
我们阻止参与者通过以没有在线存在或以前的出版物的研究者的名义发布Craigslist广告来提前确定该研究的安全重点。

4. ATTENTION DURING INSTALLATION
Do users notice Android permissions before installing an application? Attention is a prerequisite for an effective security indicator: a user cannot heed a warning that he or she does not notice. In our Internet survey we asked respondents whether they looked at permissions during installation. To supplement this self-reported statistic, we empirically determined whether laboratory study participants were aware of permission warnings. We also report users’ attention to user reviews, which are shown during installation.

4.安装过程中的注意事项
用户在安装应用程序之前是否注意到Android权限？ 注意是有效安全指示器的先决条件：用户不能注意到他或她不注意的警告。 在我们的互联网调查中，我们询问受访者是否在安装过程中查看权限。 为了补充这种自我报告的统计，我们经验地确定实验室研究参与者是否知道权限警告。 我们还报告用户对安装过程中显示的用户评论的注意。

4.1 Permissions
4.1.1 Internet Survey
In our Internet survey, we asked respondents, “The last time you downloaded an Android application, what did you look at before deciding to download it?” Respondents were able to select multiple choices from a set of options that included “Market reviews,” “Internet reviews,” “screenshots,” and “permissions.” We found that 17.5% of our 308 respondents (95%CI: [13.5%, 22.3%]) reported looking at permissions during their last application installation. Respondents who can be classified as Privacy Fundamentalists using the Westin index were significantly more likely to report looking at permissions than other respondents (p <0.0005; Fisher’s exact test). While statistically significant, the proportion of Privacy Fundamentalists who claimed to look at permissions was still a minority: 40.5% of the 42 Privacy Fundamentalists reported looking at permissions, whereas 13.9% of the remaining 266 respondents reported looking at permissions.
This self-reported question suffers from two limitations: some people over-report security concerns, and others may read permissions without knowing the technical term that refers to them. We asked survey respondents specifically about their “last installation” to discourage over-reporting, but people may still guess when they cannot remember. Our laboratory study served to confirm the results of the survey on a second population with a different metric.

4.1权限
4.1.1互联网调查
在我们的互联网调查中，我们询问受访者“最后一次下载Android应用程序，在决定下载之前，您看了什么？”受访者可以从一组选项中选择多个选项，包括“市场评论” “互联网评论”，“截图”和“权限”。我们发现，在我们的308位受访者中，有17.5％（95％CI：[13.5％，22.3％]）报告在上次安装应用程序时查看权限。使用威斯汀指数可被归类为隐私基本主义者的受访者比其他受访者更有可能报告查看权限（p <0.0005; Fisher精确检验）。虽然具有统计显着性，声称查看权限的隐私基本主义者的比例仍然是少数：42个隐私基本主义者中有40.5％的人报告了权限，而剩余的266个受访者中有13.9％的人报告了权限。
这个自我报告的问题有两个限制：一些人过度报告安全问题，而其他人可能在不知道涉及它们的技术术语的情况下读取权限。我们特别询问调查受访者他们的“最后一次安装”，以阻止过度报告，但人们仍然可能猜到他们不记得什么时候。我们的实验室研究证实了对具有不同度量的第二群体的调查结果。

注意权限             用户数             95％CI
看了权限                 4    17％    5％to 37％
没有看，但知道 10         42％ 22％到63％
不知道权限         10        42％   22％至63％
表1：安装时注意权限（实验室研究，n = 24）

4.1.2 Laboratory Study
In the follow-up laboratory study, we performed an experiment to empirically determine whether users noticed permissions during installation. We instructed study participants to talk us through the process of searching for and installing a coupon application. We recorded whether they clicked on or mentioned the permissions on the final Market installation page. To avoid priming participants, we did not mention permissions unless the participant verbally indicated that he or she was reading them. After each participant passed through the page with permissions, we asked him or her to describe what had been on the previous page.
We categorized participants into three groups:
• Participants who looked at permissions during the installation. These participants either told us that they were looking at permissions while on the page with permissions or they were later able to provide specific details about the contents of that page. They were also able to discuss permissions in general, indicating that the laboratory study was not the first time that they had viewed permissions. For example, one participant opened the page with permissions and stated, The only thing I started doing recently, is kinda looking at these – is there anything really weird.When questioned, that participant described concern over “the network stuff.”
• Participants who did not look at the permissions for this specific application, but were able to tell us that the final installation page listed permissions. In order to answer our question, these participants must have paid attention to permissions at some point in the past. For example, one participant in this category responded, I’ve seen a lot of them...A lot of ’em have full network access, access to your dialer, your call logs, and GPS location also.
• Participantswhowereunawarethatthefinalinstallationpage included a list of permissions. For example, one participant said, “I don’t remember. I just remember ‘Download and install’.” Another said, “I don’t ever pay attention. I just accept and download it.”
We did not require knowledge of the term “permissions”; participants typically used other phrases (e.g., “little warning things”) to describe what they saw or remembered.
Table 1 shows the number of study participants who fell into each of the three categories. Fourteen participants (58% of 24) noticed permissions during the experimental installation or reported paying attention to permissions in the past. 3 The remaining participants were unaware of the presence of permissions on the final installation page in the Market. We did not observe a relationship between Westin indices and participants’ attention to permissions.
Ofthetenparticipantswhodidnotlookatpermissionsduringthe study but were aware of them, three volunteered that they used to look at permissions but no longer do. For example, one participant said, “I used to look...I just stopped doing that.” These participants mighthaveexperienced warningfatigue, sinceusers seepermission warnings for about 90% of applications. One participant said that she used to be concerned about the location permission, but gradually lost her concern because so many of the applications that she installed requested this permission.
Of the ten participants who had never paid attention to permissions, two knew that they were accepting an agreement on the final installation page. They both described the page as containing legal terms of use, with one incorrectly elaborating that the text specified legal restrictions on the use of the application. Due to their lack of interest in legal text, neither had ever read the screen so they were unaware that the text pertains to security and privacy.
The self-reported survey and observational study results both suggest that 17% of users routinely look at permissions when installing an application. We also found that 42% of study participants could not possibly benefit from permission information because they had never noticed it. The remaining 42% of participants were aware of permissions but do not always consider them.

4.1.2实验室研究
在后续实验室研究中，我们进行了一项实验，以根据经验确定用户在安装期间是否注意到权限。我们指示研究参与者通过搜索和安装优惠券申请的过程与我们交谈。我们记录他们是否点击或提到了最终Market安装页面上的权限。为了避免初始参与者，我们没有提及权限，除非参与者口头表示他或她正在阅读他们。在每个参与者通过具有权限的页面后，我们请他或她描述上一页上的内容。
我们将参与者分为三组：
•在安装过程中查看权限的参与者。这些参与者告诉我们，他们在具有权限的页面上查看权限，或者他们后来能够提供该页面内容的特定详细信息。他们还能够讨论一般的权限，表明实验室研究不是他们第一次看到权限。例如，一个参与者打开了页面的权限，并说，我唯一的事情，我最近开始做，是有点看着这些 - 有什么真的奇怪。当有人问，该参与者描述了对“网络东西”的关注。
•没有查看此特定应用程序的权限的参与者，但能够告诉我们最终安装页列出的权限。为了回答我们的问题，这些参与者必须在过去某个时候注意权限。例如，这个类别的一个参与者回答，我看到了很多他们...很多人都有完全的网络访问，访问您的拨号器，您的通话记录和GPS位置也。
•参与者在初始安装页面中包括权限列表。例如，一个参与者说，“我不记得了。我只记得'下载和安装'“另一个说，”我从来没有注意。我只是接受和下载它。
我们不需要知道“权限”一词;参与者通常使用其他短语（例如，“小警告”）来描述他们看到或记住的内容。
表1显示了落入三个类别中的每一个的研究参与者的数量。十四个参与者（24个中的58％）在实验安装期间注意到权限，或者报告过去关注权限。 3剩余的参与者不知道市场中最终安装页面上是否存在权限。我们没有观察到威斯汀指数与参与者对权限的关注之间的关系。
经验丰富的参与者不愿意在研究过程中看到，但意识到他们，三个志愿者，他们习惯看看权限，但不再这样做。例如，一个参与者说，“我过去看...我只是停止这样做。”这些参与者可能会经历警告疲劳，因为大约90％的应用程序显示警告。一个参与者说，她过去常常关心位置权限，但逐渐失去了她的担心，因为她安装的许多应用程序请求此权限。
在从未注意过权限的十个参与者中，两个知道他们正在接受最终安装页面上的协议。他们都将网页描述为包含法律使用条款，其中一个不正确地阐述了该文本对应用程序的使用规定了法律限制。由于他们对法律文本缺乏兴趣，他们都没有阅读过屏幕，所以他们不知道文本涉及到安全和隐私。
自我报告的调查和观察性研究结果都表明，17％的用户在安装应用程序时通常会查看权限。我们还发现，42％的研究参与者不可能从权限信息中获益，因为他们从来没有注意到。其余42％的参与者知道权限，但不总是考虑它们。

重要性   阅读评论           没有阅读评论
很多        68％                      4％
有些       16％                4％
不信任     4％                 0％
未知         0％                4％
总计       88％              12％

表2：我们观察用户是否阅读评论，后来问他们对评论有多重要（实验室研究，n = 25）