Usability, Efficacy of Permission-Based Access Controls Remain Security Challenge, FTC Says

blog post Thursday. The usability of permissions has been widely debated in the security community, he said, because researchers have noted users may become habituated to run-time warnings, making them ineffective. Developers have observed that run-time dialogues in mobile operating systems can be similarly problematic since an application “usually barrages users with a stack of dialogs on its first launch,” which can lead to the user “carelessly dismissing all of them without reading them,” Sannappa said. The risk of habituation prompted Google and Microsoft to implement install-time permissions in Android and Windows Phone so users wouldn’t say "OK" or ignore every dialogue shown, he said. “Despite a history of usability concerns, permissions appear to be a useful tool in increasing transparency and encouraging developers to adhere to the principle of least privilege,” Sannappa said. “The Commission has long supported the idea of layered disclosures presented in a context that is useful for consumers,” he said. “From this perspective, permissions in mobile operating systems are clearly an improvement over the opacity of traditional operating systems, which often led to disclosures buried in lengthy legal documents.” Increasing the usability and efficacy of permissions remains an important challenge to address, he said. “To minimize habituation and increase user comprehension, mobile operating systems should only ask users to make security decisions when information flows defy user expectations,” Sannappa said. “By providing incentives and opportunities for developers to adhere to the principle of least privilege, mobile operating systems can help minimize the situations in which users must confront such information flows,” he said. “And by providing greater context for access requests, mobile operating systems can help users make informed decisions about such information flows.”