Smartphones have become the most commonly-used computing platform. These devices allow third-party applications to create rich user experiences by granting the applications access to sensor data (e.g., location, accelerometers, etc.) and stored personal information. However, privacy and security problems exist when users cannot make informed choices about how their information may be used.

Our goal is to understand how users perceive various smartphone-related risks, their preferences for how their sensitive data should be used by applications and services, and the threats they face. We then use this data to create new user-centric systems that allow people to make more informed decisions about their privacy and security when using their mobile devices.

We’re broadly interested in answering the following questions:

• Under what circumstances do users want to be prompted with information about third-party applications may be accessing their personal information and/or sensor data?
• What steps do users take to mitigate risks on their devices?
• How can the permission-granting user experience be improved to facilitate informed consent?

Current Projects

The list of currently active projects can be found here.

Related Publications

• The Medium is the Message: How Secure Messaging Apps Leak Sensitive Data to Push Notification Services (PETS ’24)
• Log: It’s Big, It’s Heavy, It’s Filled with Personal Data! Measuring the Logging of Sensitive Information in the Android Ecosystem (USENIX Sec ’23)
• Lessons in VCR Repair: Compliance of Android App Developers with the California Consumer Privacy Act (CCPA) (PETS ’23)
• Developers Say the Darnedest Things: Privacy Compliance Processes Followed by Developers of Child-Directed Apps (PETS ’22)
• Users’ Expectations About and Use of Smartphone Privacy and Security Settings (CHI ’22)
• Actions Speak Louder than Words: Entity-Sensitive Privacy Policy and Data Flow Analysis with PoliCheck (USENIX Sec ’20)
• Disaster Privacy/Privacy Disaster (JASIST ’20)
• The Price is (Not) Right: Comparing Privacy in Free and Paid Apps (PETS ’20)
• 50 Ways to Leak Your Data: An Exploration of Apps’ Circumvention of the Android Permissions System (USENIX Sec ’19)
• On The Ridiculousness of Notice and Consent: Contradictions in App Privacy Policies (ConPro ’19)
• Do You Get What You Pay For? Comparing The Privacy Behaviors of Free vs. Paid Apps (ConPro ’19)
• “Won’t Somebody Think of the Children?” Examining COPPA Compliance at Scale (PETS ’18)
• Contextualizing Privacy Decisions for Better Prediction (and Protection) (CHI ’18)
• TurtleGuard: Helping Android Users Apply Contextual Privacy Preferences (SOUPS ’17)
• The Feasibility of Dynamically Granted Permissions: Aligning Mobile Privacy with User Preferences (Oakland ’17)
• “Is Our Children’s Apps Learning?” Automatically Detecting COPPA Violations (ConPro ’17)
• Keep on Lockin’ in the Free World: A Multi-National Comparison of Smartphone Locking (CHI ’16)
• The Anatomy of Smartphone Unlocking: A Field Study of Android Lock Screens (CHI ’16)
• Android Permissions Remystified: A Field Study on Contextual Integrity (USENIX Sec ’15)
• Are you ready to lock? understanding user motivations for smartphone locking behaviors (CCS ’14)
• The effect of developer-specified explanations for permission requests on smartphone user behavior (CHI ’14)
• When it’s better to ask forgiveness than get permission: attribution mechanisms for smartphone resources (SOUPS ’13)
• Android permissions: user attention, comprehension, and behavior (SOUPS ’12)
• Choice architecture and smartphone privacy: there’s a price for that (WEIS ’12)
• How to ask for permission (HotSec ’12)
• I’ve got 99 problems, but vibration ain’t one: a survey of smartphone users’ concerns (SPSM ’12)
• Location privacy: user behavior in the field (SPSM ’12)