posted on 2023-11-29, 18:15authored byTrung Tin Nguyen, Duc Cuong Nguyen, michael.schilling, Gang Wang, Michael BackesMichael Backes
Understanding users' perception of app behaviors is an important step to detect data access that violates user expectations. While existing works have used various proxies to infer user expectations (e.g., by analyzing app descriptions), how real-world users perceive an app's data access when they interact with graphical user interfaces (UI) has not been fully explored.
In this paper, we aimed to fill this gap by directly measuring how end-users perceive app behaviors based on graphical UI elements via extensive user studies. The results are used to build an automated tool - GUIBAT (Graphical User Interface Behavioral Analysis Tool) - that detects sensitive resource accesses that violate user expectations. We conducted three user studies in total (N=904). The first two user studies were used to build a semantic mapping between user expectations of sensitive resource accesses and the common graphical UI elements (N=459). The third user study (N=445) was used to validate the performance of GUIBAT in predicting user expectations. By comparing user expectations and the actual app behavior (inferred by static program analysis) for 47,909 Android apps, we found that 75.38% of the apps have at least one unexpected sensitive resource access in which third-party libraries attributed to 46.13%. Our analysis lays a concrete foundation for modeling user expectations based on UI elements. We show the urgent need for more transparent UI designs to better inform users of data access, and call for new tools to support app developers in this endeavor.
History
Preferred Citation
Trung Nguyen, Duc Nguyen, Michael Schilling, Gang Wang and Michael Backes. Measuring User Perception for Detecting Unexpected Access to Sensitive Resource in Mobile Apps. In: ACM ASIA Conference on Computer and Communications Security (AsiaCCS). 2021.
Primary Research Area
Empirical and Behavioral Security
Name of Conference
ACM ASIA Conference on Computer and Communications Security (AsiaCCS)
Legacy Posted Date
2020-12-09
Open Access Type
Green
BibTeX
@inproceedings{cispa_all_3291,
title = "Measuring User Perception for Detecting Unexpected Access to Sensitive Resource in Mobile Apps",
author = "Nguyen, Trung Tin and Nguyen, Duc Cuong and Schilling, Michael and Wang, Gang and Backes, Michael",
booktitle="{ACM ASIA Conference on Computer and Communications Security (AsiaCCS)}",
year="2021",
}