Thesis Defense


"On a (Per)Mission: Leveraging User Ratings of App Permissions to Help Users Manage Privacy"

Hannah Quay-de la Vallee

Tuesday, April 25, 2017, at 3:00 P.M.

Room 368 (CIT 3rd Floor)

Apps provide valuable utility and customizability to a range of user devices, but installation of third-party apps also presents significant security risks. Many app systems use permissions to mitigate this risk. It then falls to users to decide which apps to install and how to manage their permissions, but unfortunately, many users lack the expertise to do this in a meaningful way.

In this thesis, I determine that users face two distinct privacy decisions when using apps: which apps to install, and how to manage apps' permissions once they are installed. In both cases, users are not given meaningful guidance to help them make these choices.

For decisions about which apps to install, users would benefit from privacy information in the app marketplace, since that is how most users choose apps. Once users install an app, they are confronted with the second type of decision: how to manage the app's permissions. In this case, users would benefit from an assistant that helps them see which permissions might present privacy concerns. I present two tools: a privacy-conscious app marketplace and a permission management assistant.

Both of these tools rely on privacy information, in the form of ratings of apps' permissions. I discuss gathering this rating information from both human and automated sources and how it is used in the two tools. I also explore how the brand of an app could affect how users rate its permissions. Additionally, because my goal is to convey privacy information to users, I design and evaluate several interfaces for displaying privacy ratings. I discuss surprising misconceptions generated by some of these interfaces, and present an interface that effectively communicates permission ratings.

Host: Shriram Krishnamurthi