antri kolani cs682 advanced security topics two usability
play

Antri Kolani CS682 ADVANCED SECURITY TOPICS Two usability studies - PowerPoint PPT Presentation

Antri Kolani CS682 ADVANCED SECURITY TOPICS Two usability studies held in 2011: an Internet survey of 308 Android users, and a laboratory study of 25 Android users Study participants displayed low attention and comprehension rates 2


  1. Antri Kolani CS682 ADVANCED SECURITY TOPICS

  2. Two usability studies held in 2011:  an Internet survey of 308 Android users, and  a laboratory study of 25 Android users  Study participants displayed low attention and comprehension rates 2

  3. • Attention  Comprehension  Behavior 3

  4.  Use of permissions from Android  Phone resources  Google’s role  Android Grayware 4

  5. Final installation page and permission dialog 5

  6. 1. Attention switch and maintenance. 2. Comprehension and memory. 3. Attitudes and belief. 4. Motivation. 5. Behavior. 6

  7. .  Decrease of the initial rate of participants  Completion rate  Advertisement for the survey 7

  8. Screenshots of a quiz question and of permissions 8

  9.  Craigslist ad  Requirement for participants to have android phone 9

  10. 1 . General Android usage questions 2. Installation of an application 3. Installation of a second application 4. Westin index questions. 5 . Participant’s recently used application 6. Details about past permission related behaviors 10

  11. The last time you downloaded an Android application, what did you look at before deciding to download it?  17,5% of 308 respondents  40,5% of the 42 Privacy Fundamentalists  13,9% of the remaining 266 respondents 11

  12. 12

  13. “ The last time you downloaded an Android application, what did you look at before deciding to download it?” 219 survey respondents saw review before installation. Of these, 193 respondents looked Market reviews 42 respondents looked other reviews on the Internet. 26 respondents looked both Internet and Market reviews. 13

  14. 14

  15. Permission Comprehension Quiz 1. Free-Form Permission Descriptions 2. Specific Permission Comprehension 3. 15

  16. 16

  17. To evaluate user understanding, graded participants’ freeform descriptions of permissions as follows:  Correct  Correct but overly broad  Incomplete  Incomplete and overly broad  Wrong  Unable to answer  Omitted 17

  18.  SEND_SMS permission 18

  19.  “Have you ever not installed an app because of permissions?”  Respondents were shown the following four choices: Yes, I didn’t like the permissions 1. Yes, there were too many permissions 2. No 3. I don’t know 4. 19

  20. 20

  21.  Permission warnings  Current Android Permission system  Laboratory study participants  Reviews from users 21

  22. 1. Categories 2. Risks, Not Resources 3. Low-Risk Warnings 4. Absent Permissions 5. Optional Permissions 22

  23. 1. Timing 2. Reviews 3. Customization 23

  24.  Effectiveness of Android permissions.  Android permissions fail to inform the majority of users  Minority of users demonstrated awareness and understanding of permissions 24

  25. Alice in Warningland: A Large-Scale Field Study of Browser Security Warning Effectiveness 25

  26.  Warnings to users  User clicks through a warning  User leaves the warning  Clickthrough rate  Telemetry mechanism 26

  27. Focus on three types of browser security warnings:  Malware and Phishing  SSL warnings  Browser Release Channels 27

  28.  Clickthrough Rate  Warning Mechanisms  Warning Design  Click Count 28

  29.  Active warnings  Phishing websites  Egelman et al. study 29

  30.  Critical step  Clickthrough Rate  Warning Design  Click Count  Dhamija study  Passive Indicators 30

  31.  Mozilla and Google both follow rapid release cycles.  “stable” (Google Chrome) or “release” Mozilla Firefox)  Pre-release channels 31

  32.  Measuring Clickthrough Rates  Ethics  Method Limitations 32

  33.  Implemented metrics in both browsers  Bypassing warnings  Click through specific SSL errors .  Mozilla Firefox data set 33

  34.  User shares usage data  Browser collects data  Browser periodically sends this pseudonymous data 34

  35.  Private Data  Sampling Bias  Overrepresentation  Frames 35

  36.  Clickthrough rates for malware warnings  Clickthrough rates for phishing warnings  Malware Rates by Date  Malware/Phishing Rates by Warning Type  Malware/Phishing Rates by Demographics  Malware/Phishing Rates by Browser 36

  37.  Malware rates for Google Chrome  Clickthrough rates ranging  Mozilla Firefox malware warning clickthrough rate 37

  38.  In Mozilla Firefox, higher clickthrough rate for phishing warnings than malware warnings 38

  39. 39

  40.  Google Chrome and Mozilla Firefox stable users.  Mozilla Firefox’s warnings  Browsers have different demographics 40

  41.  Clickthrough rates  SSL Rates by Demographic  SSL Rates by Browser  SSL Rates by Certificate Error Type  Additional SSL Metrics 41

  42.  Nightly users  Firefox Linux users  Chrome Windows users 42

  43.  Number of Clicks  Warning Appearance  Certificate Pinning  Remembering Exceptions  Demographics 43

  44.  Google Chrome  Mozilla Firefox  Error Prevalence 44

  45.  More Information  Add Exception Cancellation  Remember Exception 45

  46. 46

  47.  Demographics  Number of Clicks  Warning Fatigue  More Information 47

  48.  Clickthrough rates  Higher technical skill  Technically advanced users.  Studies of these users 48

  49.  User behavior.  Simple Firefox warning. 49

  50.  Common SSL errors 50

  51.  Explanatory links such as “More Information” or “Learn More ” .  Designers of such links  Mozilla Firefox information about SSL errors  Google Chrome error details 51

  52.  Google Chrome and Mozilla Firefox’s telemetry platforms  Browser security warnings can be successful  Clickthrough rates as high as 70.2% for Google Chrome SSL warnings 52

Recommend


More recommend