On Wednesday, February 8, 2012 at 10:33 PM, Adrienne Porter Felt wrote:
> > > I agree that the current UI is not great. However, I disagree about > > > "everyone" clicking through permission grants. I've done two user studies > > > and found that about ~18% of people look at permissions for a given > > > installation, and about ~60% look occasionally. We found that most have > > > no idea what they really mean -- but that is a separate problem > > > pertaining to the presentation. Also, about 20% of people have in the > > > past avoided apps that they considered "bad" because the permissions > > > alerted them to something that they didn't like. > > > > > > Did you publish this research somewhere? Would be interested to know your > > sample size and type, response rate, etc. > > It's in submission, but I can put together a tech report if you are > interested. Results are from two studies: self-reported data from 308 online > Android users (recruited via Admob), and confirmed by an observational study > of 25 Android users in the bay area (selected from a large pool of Craigslist > applicants so that they match the overall Android population by gender, age, > etc.). I think a technical report would be great to have (even if it's just a bullet summary of findings). It will give us some data to reference, which is so often lacking in debates around here. > > > > > One thing I've found is that developers often don't understand the > > > relationship between Intents and permissions in Android. A common mistake > > > is for an app to ask for the READ_CONTACTS permission even though it's > > > actually using an Intent to access contacts (which doesn't need the > > > permission). Either that, or apps will unnecessarily implement things > > > that are already provided via Intents for no particular reason. I think > > > these issues could be avoided on the Web by first introducing something > > > that can be accessed via WebIntents and only later introducing direct > > > access via "permissions", and also making the documentation very clear. > > > > Do you think this might be a consequence of developers copy/pasting > > permissions? I wonder if anyone has looked into that (might be easy to see > > overlaps or replication across applications). > > > I've found several cases of bad permission behavior being copied and pasted > by developers, although I am sure there are more cases than I found since I > did not originally go out looking for it. (If you check out section 6.3 of > http://www.cs.berkeley.edu/~afelt/android_permissions.pdf I give a few other > examples of common reasons why developers ask for more permissions than they > need.) > Thank you! This is very helpful to us that are not able to keep up with the literature on the matter. -- Marcos Caceres
