[PPT] - Antri Kolani CS682 ADVANCED SECURITY TOPICS Two usability studies PowerPoint Presentation

SLIDE 1

Antri Kolani CS682 ADVANCED SECURITY TOPICS

SLIDE 2

Two usability studies held in 2011:

an Internet survey of 308 Android users, and
a laboratory study of 25 Android users
Study participants displayed low attention and comprehension

rates

2

SLIDE 3

Attention
Comprehension
Behavior

3

SLIDE 4

Use of permissions from Android
Phone resources
Google’s role
Android Grayware

4

SLIDE 5

5

Final installation page and permission dialog

SLIDE 6

1. Attention switch and maintenance.

2. Comprehension and memory.
3. Attitudes and belief.
4. Motivation.
5. Behavior.

6

SLIDE 7

.

Decrease of the initial rate of participants
Completion rate
Advertisement for the survey

7

SLIDE 8

8

Screenshots of a quiz question and of permissions

SLIDE 9

Craigslist ad
Requirement for participants to have android phone

9

SLIDE 10

1. General Android usage questions
2. Installation of an application
3. Installation of a second application
4. Westin index questions.
5. Participant’s recently used application
6. Details about past permission related behaviors

10

SLIDE 11

The last time you downloaded an Android application, what did you look at before deciding to download it?

17,5% of 308 respondents
40,5% of the 42 Privacy Fundamentalists
13,9% of the remaining 266 respondents

11

SLIDE 12

12

SLIDE 13

“The last time you downloaded an Android application, what did you look at before deciding to download it?” 219 survey respondents saw review before installation. Of these, 193 respondents looked Market reviews 42 respondents looked other reviews on the Internet. 26 respondents looked both Internet and Market reviews.

13

SLIDE 14

14

SLIDE 15

1.

Permission Comprehension Quiz

2.

Free-Form Permission Descriptions

3.

Specific Permission Comprehension

15

SLIDE 16

16

SLIDE 17

To evaluate user understanding, graded participants’ freeform descriptions of permissions as follows:

Correct
Correct but overly broad
Incomplete
Incomplete and overly broad
Wrong
Unable to answer
Omitted

17

SLIDE 18

SEND_SMS permission

18

SLIDE 19

“Have you ever not installed an app because of

permissions?”

Respondents were shown the following four choices:

1.

Yes, I didn’t like the permissions

2.

Yes, there were too many permissions

3.

No

4.

I don’t know

19

SLIDE 20

20

SLIDE 21

Permission warnings
Current Android Permission system
Laboratory study participants
Reviews from users

21

SLIDE 22

1. Categories
2. Risks, Not Resources
3. Low-Risk Warnings
4. Absent Permissions
5. Optional Permissions

22

SLIDE 23

1.Timing

2. Reviews
3. Customization

23

SLIDE 24

Effectiveness of Android permissions.
Android permissions fail to inform the majority of users
Minority of users demonstrated awareness and understanding of

permissions

24

SLIDE 25

Alice in Warningland: A Large-Scale Field Study of Browser Security Warning Effectiveness

25

SLIDE 26

Warnings to users
User clicks through a warning
User leaves the warning
Clickthrough rate
Telemetry mechanism

26

SLIDE 27

Focus on three types of browser security warnings:

Malware and Phishing
SSL warnings
Browser Release Channels

27

SLIDE 28

Clickthrough Rate
Warning Mechanisms
Warning Design
Click Count

28

SLIDE 29

Active warnings
Phishing websites
Egelman et al. study

29

SLIDE 30

Critical step
Clickthrough Rate
Warning Design
Click Count
Dhamija study
Passive Indicators

30

SLIDE 31

Mozilla and Google both follow rapid release cycles.
“stable” (Google Chrome) or “release” Mozilla Firefox)
Pre-release channels

31

SLIDE 32

Measuring Clickthrough Rates
Ethics
Method Limitations

32

SLIDE 33

Implemented metrics in both browsers
Bypassing warnings
Click through specific SSL errors.
Mozilla Firefox data set

33

SLIDE 34

User shares usage data
Browser collects data
Browser periodically sends this pseudonymous data

34

SLIDE 35

Private Data
Sampling Bias
Overrepresentation
Frames

35

SLIDE 36

Clickthrough rates for malware warnings
Clickthrough rates for phishing warnings
Malware Rates by Date
Malware/Phishing Rates by Warning Type
Malware/Phishing Rates by Demographics
Malware/Phishing Rates by Browser

36

SLIDE 37

Malware rates for Google Chrome
Clickthrough rates ranging
Mozilla Firefox malware warning clickthrough rate

37

SLIDE 38

In Mozilla Firefox, higher clickthrough rate for phishing

warnings than malware warnings

38

SLIDE 39

39

SLIDE 40

Google Chrome and Mozilla Firefox stable users.
Mozilla Firefox’s warnings
Browsers have different demographics

40

SLIDE 41

Clickthrough rates
SSL Rates by Demographic
SSL Rates by Browser
SSL Rates by Certificate Error Type
Additional SSL Metrics

41

SLIDE 42

Nightly users
Firefox Linux users
Chrome Windows users

42

SLIDE 43

Number of Clicks
Warning Appearance
Certificate Pinning
Remembering Exceptions
Demographics

43

SLIDE 44

Google Chrome
Mozilla Firefox
Error Prevalence

44

SLIDE 45

More Information
Add Exception Cancellation
Remember Exception

45

SLIDE 46

46

SLIDE 47

Demographics
Number of Clicks
Warning Fatigue
More Information

47

SLIDE 48

Clickthrough rates
Higher technical skill
Technically advanced users.
Studies of these users

48

SLIDE 49

User behavior.
Simple Firefox warning.

49

SLIDE 50

Common SSL errors

50

SLIDE 51

Explanatory links such as “More Information” or “Learn More”.
Designers of such links
Mozilla Firefox information about SSL errors
Google Chrome error details

51

SLIDE 52

Google Chrome and Mozilla Firefox’s telemetry platforms
Browser security warnings can be successful
Clickthrough rates as high as 70.2% for Google Chrome SSL

warnings

52