> > > I agree that the current UI is not great. However, I disagree about > "everyone" clicking through permission grants. I've done two user studies > and found that about ~18% of people look at permissions for a given > installation, and about ~60% look occasionally. We found that most have no > idea what they really mean -- but that is a separate problem pertaining to > the presentation. Also, about 20% of people have in the past avoided apps > that they considered "bad" because the permissions alerted them to > something that they didn't like. > > Did you publish this research somewhere? Would be interested to know your > sample size and type, response rate, etc. >
It's in submission, but I can put together a tech report if you are interested. Results are from two studies: self-reported data from 308 online Android users (recruited via Admob), and confirmed by an observational study of 25 Android users in the bay area (selected from a large pool of Craigslist applicants so that they match the overall Android population by gender, age, etc.). > > One thing I've found is that developers often don't understand the > relationship between Intents and permissions in Android. A common mistake > is for an app to ask for the READ_CONTACTS permission even though it's > actually using an Intent to access contacts (which doesn't need the > permission). Either that, or apps will unnecessarily implement things that > are already provided via Intents for no particular reason. I think these > issues could be avoided on the Web by first introducing something that can > be accessed via WebIntents and only later introducing direct access via > "permissions", and also making the documentation very clear. > Do you think this might be a consequence of developers copy/pasting > permissions? I wonder if anyone has looked into that (might be easy to see > overlaps or replication across applications). > I've found several cases of bad permission behavior being copied and pasted by developers, although I am sure there are more cases than I found since I did not originally go out looking for it. (If you check out section 6.3 of http://www.cs.berkeley.edu/~afelt/android_permissions.pdf I give a few other examples of common reasons why developers ask for more permissions than they need.) Adrienne
