No technical understanding required: Helping users make informed choices about access to their personal data

Many smartphone apps collect personal information used for a variety of purposes. Users, however, are often unaware of this kind of access even though they must grant the required permissions upon app installation. We have identified three reasons for this unawareness. First, relevant permissions can be missed in long lists of permissions. Second, apps that access personal information for functionality may appear suspicious even if they don't have the ability to disclose that information. Finally, updates to apps can lead to new permissions, accessing personal data, being granted.

We modified the Google Play permissions interface to include a quantitative measure (sensitivity score) of an app's ability to disclose personal information and to highlight the relevant permissions that contributed to this score in order to focus the user's attention on permissions that have the ability to access personal data. These improvements are easily integratable within the current structures and policies of the Android permissions interface and have been designed to allow inexperienced users to understand the permission interface and make informed and conscious decisions about access to their personal data.

We validated the effectiveness of this approach with a study of 125 Android smartphone users. We compared the current and improved versions of the interface and found that our improved permission interface led participants - especially inexperienced ones - to choose apps with less possible access to their personal data.