Mobile Device Security
For Mobile Users, Positive Safety Messages More Effective Than Security Warnings
Ratings of the security risks associated with smartphone apps affect users'
decisions whether to install those apps, but information about the safety of an
app is more effective than information about its risks, according to researchers
from Purdue University.
The report, "Effective Risk Communication for Android Apps," was published in
the May-June issue of
Dependable and Secure Computing. The researchers examined the effects of
including information about app permissions on users' decisions to install apps.
They tested the effectiveness of including summary risk information and tested
various methods of conveying that information to determine which approach was
Although most mobile systems have strong security measures in place, they
often rely on users to make decisions that affect the security of the device,
according to the authors. When users install apps, they may unwittingly
give permission for malicious or intrusive apps to track their location and
monitor their phone calls and text messages, including authentication messages
used by secure sites. According to the researchers, users install these
malicious apps without realizing the risks because they don't understand the
permissions the app is requesting.
The researchers focused on the Android operating system, which includes more
than 200 app permissions, many of which "do not make sense to the average user
or at best require time and considerable mental effort to comprehend," according
to information on the National Science Foundation
site, which funded the project. While users pay some attention to
permissions, they also consider average ratings, number of downloads and user
comments. Higher quality apps tend to get higher ratings, and users tend to
submit comments about the security and privacy of an app.
Current app permissions are designed for the app developers, rather than the
users, Ninghui Li, one of the researchers told NSF. Based on the results of
their experiments, the researchers believe it would be more effective to display
a risk score for each app because it would make the risk more obvious to users
and provide an incentive for developers to reduce their use of personal
information when developing apps. They also believe the inclusion of risk scores
could increase user curiosity about security information and cause them to pay
more attention to the warnings.
However, the researchers also found that people tend to pay more attention to
safety information than risk information. The reason may be that users tend to
base their decision to install an app on other positive information about it,
such as the user ratings, number of downloads and user comments, so it follows
that a positive safety rating is more compatible with the decision-making
process than a negative risk rating.
The full report, "Effective Risk Communication for Android Apps," can be
found in the May-June issue of
Dependable and Secure Computing.
Leila Meyer is a technology writer based in British Columbia. She can be reached at firstname.lastname@example.org.