Learn More
Android's permission system is intended to inform users about the risks of installing applications. When a user installs an application, he or she has the opportunity to review the application's permission requests and cancel the installation if the permissions are excessive or objectionable. We examine whether the Android permission system is effective at(More)
Web users are shown an invalid certificate warning when their browser cannot validate the identity of the websites they are visiting. While these warnings often appear in benign situations, they can also signal a man-in-the-middle attack. We conducted a survey of over 400 Internet users to examine their reactions to and understanding of current SSL(More)
There are currently dozens of freely available tools to combat phishing and other web-based scams, many of which are web browser extensions that warn users when they are browsing a suspected phishing site. We developed an automated test bed for testing anti-phishing tools. We used 200 verified phishing URLs from two sources and 516 legitimate URLs to test(More)
All four of the most popular webmail providers – AOL, Google, Microsoft, and Yahoo! – rely on personal questions as the secondary authentication secrets used to reset account passwords. The security of these questions has received limited formal scrutiny, almost all of which predates webmail. We ran a user study to measure the reliability and security of(More)
Smartphone operating systems warn users when third-party applications try to access sensitive functions or data. However, all of the major smartphone platforms warn users about <i>different</i> application actions. To our knowledge, their selection of warnings was not grounded in user research; past research on mobile privacy has focused exclusively on the(More)
We performed a study of Facebook users to examine how they coped with limitations of the Facebook privacy settings interface. Students graduating and joining the workforce create significant problems for all but the most basic privacy settings on social networking websites. We therefore created realistic scenarios exploiting work/play boundaries that(More)
Many popular web browsers are now including active phishing warnings after previous research has shown that passive warnings are often ignored. In this laboratory study we examine the effectiveness of these warnings and examine if, how, and why they fail users. We simulated a spear phishing attack to expose users to browser warnings. We found that 97% of(More)
Companies' efforts to manage their information practices to produce transparent privacy policies have yielded mixed results. Web retailers detail such practices in their online privacy policies, but most of the time this information remains invisible to consumers. This paper reports on research undertaken to determine whether a more prominent display of(More)
We instrumented the Android platform to collect data regarding how often and under what circumstances smart-phone applications access protected resources regulated by permissions. We performed a 36-person field study to explore the notion of " contextual integrity, " i.e., how often applications access protected resources when users are not expecting it.(More)
We present the results of an experiment examining the extent to which individuals will tolerate delays when told that such delays are for security purposes. 1 In our experiment, we asked 800 Amazon Mechanical Turk users to count the total number of times a certain term was repeated in a multi-page document. The task was designed to be conducive to cheating.(More)