Second Workshop on Usable Privacy & Security
for Mobile Devices (U-PriSM 2)
August 27, 2013 Munich, Germany
co-located with MobileHCI 2013
Keynote Presentation
Alex De Luca, Ludwig-Maximilians-Universität MünchenNew Devices Old Concepts: The Smartphone Authentication Dilemma
Passwords were invented in the early 60s when there was the need to protect access to some of the very first computers. Personal identification numbers (PINs) came with the first ATMs. Neither of them was designed for good usability or user convenience but they are still the dominant form of authentication nowadays. With the introduction of smartphones, the amount of private and sensitive data on mobile devices has finally reached a critical mass worth protecting, which is in most of the cases done using PINs and passwords. While they are neither great nor very secure for desktop computers and ATMs, they perform even worse on mobile devices. In this talk, I will describe the smartphone authentication dilemma and present research that tries to overcome this problem, that is, making authentication on mobile devices more usable and more secure. I will finally present a list of dos and don’ts for designing authentication systems for smartphones.
Alexander De Luca is currently working as a postdoc at the Media Informatics Group, University of Munich (LMU). His main research interest is usable privacy and security with a focus on authentication mechanism for different platforms. His published work includes but is not limited to: location privacy, authentication mechanisms for public spaces and mobile devices, data privacy, anti-phishing. His current research focuses on security and privacy issues of mobile devices. He also co-organized several workshops and special interest groups on this topic including the SPMU workshop series.
U-PriSM 2 Workshop Program
August 27, 2013, Room: 20
Note: Times Revised to better align with conference breaks
| 9:00 - 9:15 | Welcome |
| 9:15 - 10:15 | Keynote - Alex De Luca, Ludwig-Maximilians-Universität München |
| 10:15 - 11:00 | Break (Room 16) |
| 11:00 - 11:40 | Session A
11:00 - Towards an Application-driven Mobile Authentication Model
Nicholas Micallef (Glasgow Caledonian University)Mike Just (Glasgow Caledonian University) Lynne Baillie (Glasgow Caledonian University) Gunes Kayacik (Glasgow Caledonian University)
The target of this research is to define an authentication model which improves the user experience and facilitates sharing of mobile devices without reducing the level of security. To reach this target we move out of the current binary security model that offers all-or-nothing access to the device by leveraging on the use of inbuilt sensors to define 'passive' authentication only in situations where authentication is “really required”. We determine which situations really require passive authentication by classifying applications according to the amount of sensitive personal information that they access or store. The user is only prompted with an explicit authentication mechanism (e.g. PIN, password) when passive authentication does not meet an established threshold. We present some preliminary results gathered from our first data collection exercise which shows that the number of “unlocks” that a user needs to perform can be considerably reduced by making some applications available without the need for an explicit unlocking. Finally, we define the way forward by explaining what types of evaluations are going to be conducted to evaluate the proposed authentication model.
11:10 -
Context-Based Security Questions for Fallback Authentication on Mobile Devices
Alina Hang (Media Informatics Group, University of Munich (LMU))
Fallback authentication is needed when the primary authentication fails and the user wants to regain access to her account and data. Current fallback solutions mostly rely on security questions. However, security questions have multiple shortcomings, particularly in terms of usability and security. We believe that the design of security questions can be improved by the use of implicit information that is available on mobile devices (e.g. app usage, call history, etc.). In this paper, we propose the use of context-based security questions for the design of fallback authentication systems on mobile devices. We present the preliminary results of our work-in-progress and discuss their implications.
11:20 - Discussion
|
| 11:40 - 12:20 | Session B
11:40 -
Risky Business: A Study on User Awareness and Valuation of Cellular Privacy Risks
Dipayan Ghosh (Cornell University)Stephanie Santoso (Cornell University) Stephen Wicker (Cornell University) Dawn Schrader (Cornell University) Jubo Yan (Cornell University) William Schulze (Cornell University)
Privacy risks abound for users of smart phones, but smart phone
users often are not aware of these risks or undervalue the impact
of these risks. In this paper, we present the results of a national
survey on smart phone privacy that investigates user awareness of
privacy risks related to smart phones, including location privacy,
cellular data privacy, and network usage privacy issues.
Additionally, we employ a conditional choice model to determine
how much cellular location privacy is worth to smart phone users.
Our findings suggest that many users are either unaware of the
privacy risks associated with smart phone use or do not know how
to effectively protect their privacy. Further, we find that on
average, participants are willing to pay about $12 each month to
protect their cellular location privacy. We use these results to
design policy recommendations for stakeholders in the smart
phone industry.
11:50 -
The Security Assistant - Investigating the Effect of Privacy and Security Information on Perceived Usability, Trust and BehaviorMarc Busch (CURE - Center for Usability Research and Engineering) Christina Hochleitner (CURE - Center for Usability Research and Engineering) Manfred Tscheligi (University of Salzburg, ICT&S Center)
In this position paper we present the design and work-in-progress evaluation of the Security Assistant, a privacy-enhancing technology that informs users about security and privacy in the interaction with intelligent objects and mobile devices in home and business contexts. In an ongoing empirical user study described in this paper with N= 87 participants in Germany, Austria and Norway, we study the effect of the Security Assistant in two conditions (indicating either low or high security status of the connection with the intelligent objects) on the users’ perceived usability, trust and their behavioral compliance (e.g. if they listen to the recommendations of the Security Assistant). Furthermore, we plan to explore interrelations between psychological constructs (usability and trust), behavior and relevant personality traits, to fully understand the impact of the Security Assistant on the user.
12:00 Discussion
|
| 12:20 - 13:50 | Lunch (Senatssaal) |
| 13:50 - 14:30 | Session C
13:50 -
Exploring Interaction between Smartphone Choice and Human Aspects of Security and Privacy
Ziniada Benenson (University of Erlangen-Nuremberg)Lena Reinfelder (University of Erlangen-Nuremberg) Freya Gassmann (Saarland University)
We argue that the distinct features of the two most popular smartphone operating systems worldwide, Android and iOS, influence security and privacy attitudes and behavior of the respective users. This especially holds for features that are visible (at least, in principle) to non-expert users, such as differences in app market policies (open versus closed) and in presentation of the personal data usage by the apps (permissions versus runtime consent). As a case study, we explore the relationship between the choice of the smartphone and privacy awareness of the users and present initial research results based on an online survey with more than 700 German respondents.
14:00 -
Folk Models of Smartphone Users
Melanie Volkamer (TU Darmstadt)Michaela Kauer (TU Darmstadt) Sinem Emeroz (TU Darmstadt) Karen Renaud (Glasgow)
The increasing usage of smartphones also leads to an increasing number of attacks against smartphone users. In order to build security measures for smartphones, it is essential to understand users’ perceptions and the way of thinking about smartphone security. In this work, we identify users’ mental models with respect to smartphone security aspect such as access control, virus scanners, Smishing, and app security. The mental models are identified from 20 semi-structured interviews in Germany.
14:10 - Discussion
|
| 14:30 - 15:00 | Break (Room 16) |
| 15:00 - 15:40 | Session D
15:00
Controlling Location Disclosure by Distinguishing between Public and Private Spaces
Jeremy Wood (LocationAnonymization.com)
Location sharing apps typically offer users limited options for specifying their complex preferences regarding when and to whom they want their location disclosed. But offering users more extensive options threatens to increase the user burden considerably. We evaluate a method which uses detailed maps to automatically distinguish public and private locations. The results show promise in that the method gives users additional control in disclosing their location data, without significantly increasing the user burden.
Paper: PDF
15:10 -
The Effects of Developer-Specified Explanations for Smartphone Permission Requests
Christopher Thompson (UC Berkeley)Serge Egelman (UC Berkeley)
Apple's iOS 6 gave developers the ability to optionally include their own text within runtime permission requests. The reasoning behind this idea is that users can make better decisions about their personal data if they are given more verbose explanations of why their data is being requested by a third-party app. We hypothesize that this ability, while well intentioned, will likely lead to greater user confusion. We present preliminary data, as well as a research agenda to examine how many apps take advantage of these developer-specified explanations, whether users understand the explanations, and whether the explanations are accurate.
15:20 - Discussion
|
| 15:40 - 16:35 | Open Mic / General Discussion |
| 16:30 - 16:45 | Closing Remarks |
Organizers
Sonia Chiasson, Carleton University
chiasson@scs.carleton.ca
Heather Crawford, Florida Institute of Technology
heatherannecrawford@gmail.com
Serge Egelman, UC Berkeley
egelman@cs.berkeley.edu
Pourang Irani, University of Manitoba
irani@cs.umanitoba.ca