W3C home > Mailing lists > Public > public-webapps@w3.org > January to March 2012

Re: Installing web apps

From: Adrienne Porter Felt <apf@berkeley.edu>
Date: Wed, 8 Feb 2012 14:33:57 -0800
Message-ID: <CA+yvPmcPSGRivLxFE_VX-EhrtrLvpD7V65G3Qpci2YdCSjqmEA@mail.gmail.com>
To: Marcos Caceres <w3c@marcosc.com>
Cc: Robin Berjon <robin@berjon.com>, Paul Libbrecht <paul@hoplahup.net>, Boris Zbarsky <bzbarsky@mit.edu>, public-webapps@w3.org
> > I agree that the current UI is not great. However, I disagree about
> "everyone" clicking through permission grants. I've done two user studies
> and found that about ~18% of people look at permissions for a given
> installation, and about ~60% look occasionally. We found that most have no
> idea what they really mean -- but that is a separate problem pertaining to
> the presentation. Also, about 20% of people have in the past avoided apps
> that they considered "bad" because the permissions alerted them to
> something that they didn't like.
> Did you publish this research somewhere? Would be interested to know your
> sample size and type, response rate, etc.

It's in submission, but I can put together a tech report if you are
interested.  Results are from two studies: self-reported data from 308
online Android users (recruited via Admob), and confirmed by an
observational study of 25 Android users in the bay area (selected from a
large pool of Craigslist applicants so that they match the overall Android
population by gender, age, etc.).

> > One thing I've found is that developers often don't understand the
> relationship between Intents and permissions in Android. A common mistake
> is for an app to ask for the READ_CONTACTS permission even though it's
> actually using an Intent to access contacts (which doesn't need the
> permission). Either that, or apps will unnecessarily implement things that
> are already provided via Intents for no particular reason. I think these
> issues could be avoided on the Web by first introducing something that can
> be accessed via WebIntents and only later introducing direct access via
> "permissions", and also making the documentation very clear.
> Do you think this might be a consequence of developers copy/pasting
> permissions? I wonder if anyone has looked into that (might be easy to see
> overlaps or replication across applications).

I've found several cases of bad permission behavior being copied and pasted
by developers, although I am sure there are more cases than I found since I
did not originally go out looking for it. (If you check out section 6.3 of
http://www.cs.berkeley.edu/~afelt/android_permissions.pdf I give a few
other examples of common reasons why developers ask for more permissions
than they need.)

Received on Wednesday, 8 February 2012 22:34:50 UTC

This archive was generated by hypermail 2.3.1 : Friday, 27 October 2017 07:26:38 UTC