- From: Marcos Caceres <w3c@marcosc.com>
- Date: Thu, 9 Feb 2012 12:21:28 +0000
- To: Adrienne Porter Felt <apf@berkeley.edu>
- Cc: Robin Berjon <robin@berjon.com>, Paul Libbrecht <paul@hoplahup.net>, Boris Zbarsky <bzbarsky@mit.edu>, public-webapps@w3.org
On Wednesday, February 8, 2012 at 10:33 PM, Adrienne Porter Felt wrote: > > > I agree that the current UI is not great. However, I disagree about "everyone" clicking through permission grants. I've done two user studies and found that about ~18% of people look at permissions for a given installation, and about ~60% look occasionally. We found that most have no idea what they really mean -- but that is a separate problem pertaining to the presentation. Also, about 20% of people have in the past avoided apps that they considered "bad" because the permissions alerted them to something that they didn't like. > > > > > > Did you publish this research somewhere? Would be interested to know your sample size and type, response rate, etc. > > It's in submission, but I can put together a tech report if you are interested. Results are from two studies: self-reported data from 308 online Android users (recruited via Admob), and confirmed by an observational study of 25 Android users in the bay area (selected from a large pool of Craigslist applicants so that they match the overall Android population by gender, age, etc.). I think a technical report would be great to have (even if it's just a bullet summary of findings). It will give us some data to reference, which is so often lacking in debates around here. > > > > > One thing I've found is that developers often don't understand the relationship between Intents and permissions in Android. A common mistake is for an app to ask for the READ_CONTACTS permission even though it's actually using an Intent to access contacts (which doesn't need the permission). Either that, or apps will unnecessarily implement things that are already provided via Intents for no particular reason. I think these issues could be avoided on the Web by first introducing something that can be accessed via WebIntents and only later introducing direct access via "permissions", and also making the documentation very clear. > > > > Do you think this might be a consequence of developers copy/pasting permissions? I wonder if anyone has looked into that (might be easy to see overlaps or replication across applications). > > > I've found several cases of bad permission behavior being copied and pasted by developers, although I am sure there are more cases than I found since I did not originally go out looking for it. (If you check out section 6.3 of http://www.cs.berkeley.edu/~afelt/android_permissions.pdf I give a few other examples of common reasons why developers ask for more permissions than they need.) > Thank you! This is very helpful to us that are not able to keep up with the literature on the matter. -- Marcos Caceres
Received on Thursday, 9 February 2012 12:22:02 UTC