I’m Allowing What? Disclosing the authority applications demand of users as a condition of installation

Computer operating systems, and now websites that serve as application platforms, are increasingly adopting stricter application security models; they restrict the resources applications can access to those authorized by the user. Users are asked to authorize access to these resources either when the application is installed or when previously-unauthorized resources are required. For example, Facebook requires its 400+ million users to make authorization decisions whenever an application first tries to run within a user’s account. The Android mobile phone OS requires its millions of users to make application authorization decisions when downloading new applications. While the security of these users’ systems and data increasingly rests on their ability to make these authorization decisions, there is little research to guide those designing these application authorization experiences.

We performed a laboratory study to evaluate different designs for disclosing the actions and resources that an application will be authorized to perform once installed. We used a within-participants design to observe thirty-three Facebook users’ ability to absorb and search information in seventeen different disclosure designs, all of which were presented in the context of a fictional Facebook application. These designs were chosen to proxy for designs users rely upon today, from platforms including Facebook, Android, OAuth, and HealthVault. Four of these designs conveyed only a set of resources to be authorized, such as the user’s contact information or friends. The other thirteen designs paired resources with different actions that could be performed on them, such as seeing contact information, changing contact information, or adding new contact information.

We find that participants overwhelmingly prefer disclosure designs that present resources visually, using icons or pictures, and can search those containing icons most quickly. Surprisingly, we find little variance in participants’ performance on our information-absorption tasks over widely varying disclosure designs. We do, however, find that participants perform better when disclosures are organized by actions, and followed by the various resources on which the actions would be authorized, than when information is grouped by the resources.