0
1
Engineering &
Public Policy
The Privacy and
Security Behaviors of
Smartphone
App Developers
Rebecca Balebako, Abigail
Ma...
App Developer decisions
• Privacy and Security features compete with
• Features requested by customers
• Data requested by...
Research Project
• Exploratory Interviews
• Quantitative on-line study
3
Findings
• Small companies lack privacy and security behaviors
• Small company developers rely on social ties for advice
•...
Participant Recruitment
• 13 developers interviewed
• Recruited through craigslist and Meetups
• $20 for one-hour intervie...
Participant Demographics
• Variety of revenue models
• Advertising
• Subscription
• Pay-per-use
• Non-Profit
• Seven diffe...
Tools impact privacy and security
• Interviewees do:
• Use cloud computing
• Use authentication tools such as Facebook
• U...
Tools not used
• Interviewees don‟t use or are unaware of:
• Use privacy policy generators
• Use security audits
• Read th...
9
On-line surveys
• 228 app developers
• Paid $5 (avg: 15 minutes)
• Recruited through
craigslist, reddit, Facebook, backpag...
Company demographics
• Platforms
• iOS (62%)
• Android (62%)
• Windows (17%)
• Blackberry (4%)
• Palm (3%)
• Large Company...
Data collected or stored
Behavior Collect or Store
Parameters specific to my app 84%
Which apps are installed 74%
Location...
Privacy and security behaviors
Behavior Percent
Use SSL 84%
Encrypt everything (all data collected) 57%
Have CPO or equiva...
Company size and behaviors
14
Who do you turn to?
15
Who do you turn to?
16
Ad and analytics heavily used
• 87.4% use at least one analytics company
• 86.5% use at least one advertising company
17
Third-party tools
18
How Familiar Are You With The Types Of
Data Collected By Third-Party Tools
19
Findings
• Small companies lack privacy and security behaviors
• Free or quick tools needed
• Usable tools needed
• Small ...
balebako@cmu.edu
Questions?
Privacy Policies Are Not Considered
Useful
“I haven‟t even read [our privacy policy]. I mean,
it‟s just legal stuff that‟s...
Developers have time and resource
constraints
• “I don‟t see the time it would take to implement
that over cutting and pas...
Privacy and security behaviors
Behavior Percent
Use SSL 83.8%
Encrypt data on phone 59.6%
Encrypt data in database 53.1%
E...
Ad and analytics
Ad or analytic provider percent
Google analytics 82%
Google ads 64%
Flurry analytics 17%
No ads 13%
No an...
Advice
26
Upcoming SlideShare
Loading in...5
×

The Privacy and Security Behaviors of Smartphone, at USEC 2014

193

Published on

Talk presented at USEC 2014.

Smartphone app developers have to make many privacy-related decisions about what data to collect about end-users, and how that data is used. We explore how app developers make decisions about privacy and security. Additionally, we examine whether any privacy and security behaviors are related to characteristics of the app development companies. We conduct a series of interviews with 13 app developers to obtain rich qualitative information about privacy and security decision-making. We use an online survey of 228 app developers to quantify behaviors and test our hypotheses about the relationship between privacy and security behaviors and company characteristics. We find that smaller companies are less likely to demonstrate positive privacy and security behaviors. Additionally, although third-party tools for ads and analytics are pervasive, developers aren’t aware of the data collected by these tools. We suggest tools and opportunities to reduce the barriers for app developers to implement privacy and security best practices.

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
193
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
8
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide
  • Presented at USEC 2014http://www.usecap.org/usec14.html
  • Opportunities to teach So what or now what? Call to action- usable tools- third-party librarues
  • Discarded 232 results.
  • 1 employee: 5%2-9 employees: 15%10-30 employees: 20%31-100 employees: 48%100+ employees: 12%
  • We found that the size of a company does help determinewhether they have a CPO (2 test p< 0.001), whether they havea privacy policy (2 tests p=.002), and whether they encrypteverything (2 tests p< 0.001). However, the company sizewas not correlated with SSL using the conservative correctedsignificance level (2 tests p=.009).
  • “Who, if anyone, doyou turn to when you have questions about consumer privacy and security?”
  • “Who, if anyone, doyou turn to when you have questions about consumer privacy and security?”Options included: Developers from meetups, developers within my company, lawert within and outside companyKruskal-Wallis test p<.0001
  • most app developers (87.4\%) used at least one analytics company, with one in five using two or more analytics companies.Most apps also used an advertising company: 86.5\% selected one or more advertising companies in use, using on average 1.78 ad companies (SD=1.33).
  • Many tools or documents that help app developers make privacy decisions discuss third-party data sharing. For example, The CA AG recommendation says that app developers should…
  • This is indicates that users are confused about the term ‘third-party tools’ and that tools and documents should clarify that these include ads and analyticsPie chart fonts are to small to see
  • Ooputunities to teach So what or now what? Call to action - usable tools- third-party librarues
  • most app developers (87.4\%) used at least one analytics company, with one in five using two or more analytics companies.Most apps also used an advertising company: 86.5\% selected one or more advertising companies in use, using on average 1.78 ad companies (SD=1.33).
  • Who if anyone, do you turn to when you have questions about privacy and security
  • Transcript of "The Privacy and Security Behaviors of Smartphone, at USEC 2014"

    1. 1. 1 Engineering & Public Policy The Privacy and Security Behaviors of Smartphone App Developers Rebecca Balebako, Abigail Marsh, Jialiu Lin, Jason Hong, Lorrie Faith Cranor
    2. 2. App Developer decisions • Privacy and Security features compete with • Features requested by customers • Data requested by financers • Revenue model 2
    3. 3. Research Project • Exploratory Interviews • Quantitative on-line study 3
    4. 4. Findings • Small companies lack privacy and security behaviors • Small company developers rely on social ties for advice • Legalese hinders reading and writing of privacy policies • Third-Party tools heavily used 4
    5. 5. Participant Recruitment • 13 developers interviewed • Recruited through craigslist and Meetups • $20 for one-hour interview 5
    6. 6. Participant Demographics • Variety of revenue models • Advertising • Subscription • Pay-per-use • Non-Profit • Seven different states • Small company size well-represented 6
    7. 7. Tools impact privacy and security • Interviewees do: • Use cloud computing • Use authentication tools such as Facebook • Use analytics such as Google and Flurry • Use open source tools such as mysql 7
    8. 8. Tools not used • Interviewees don‟t use or are unaware of: • Use privacy policy generators • Use security audits • Read third-party privacy policies • Delete data 8
    9. 9. 9
    10. 10. On-line surveys • 228 app developers • Paid $5 (avg: 15 minutes) • Recruited through craigslist, reddit, Facebook, backpage.com • Developer demographics • Majority were „Programmer or Software Engineer‟ or „Product or Project Manager‟ • Avg age: 30 (18-50 years) 10
    11. 11. Company demographics • Platforms • iOS (62%) • Android (62%) • Windows (17%) • Blackberry (4%) • Palm (3%) • Large Company Size well-represented 11
    12. 12. Data collected or stored Behavior Collect or Store Parameters specific to my app 84% Which apps are installed 74% Location 72% Sensor information (not location-related) 63% 12
    13. 13. Privacy and security behaviors Behavior Percent Use SSL 84% Encrypt everything (all data collected) 57% Have CPO or equivalent 78% Privacy Policy on website 58% 13 • Room for improvement!
    14. 14. Company size and behaviors 14
    15. 15. Who do you turn to? 15
    16. 16. Who do you turn to? 16
    17. 17. Ad and analytics heavily used • 87.4% use at least one analytics company • 86.5% use at least one advertising company 17
    18. 18. Third-party tools 18
    19. 19. How Familiar Are You With The Types Of Data Collected By Third-Party Tools 19
    20. 20. Findings • Small companies lack privacy and security behaviors • Free or quick tools needed • Usable tools needed • Small company developers rely on social ties for advice • Opportunities for intervention in social networks • Legalese hinders reading and writing of privacy policies • Third-Party tools heavily used • Third-party tools should be explicit about data handling 20
    21. 21. balebako@cmu.edu Questions?
    22. 22. Privacy Policies Are Not Considered Useful “I haven‟t even read [our privacy policy]. I mean, it‟s just legal stuff that‟s required, so I just put in there.” – P4 22
    23. 23. Developers have time and resource constraints • “I don‟t see the time it would take to implement that over cutting and pasting someone else‟s privacy policies.... I don‟t see the value being such that that‟s worth it.” -P10 23
    24. 24. Privacy and security behaviors Behavior Percent Use SSL 83.8% Encrypt data on phone 59.6% Encrypt data in database 53.1% Encrypt everything (all data collected) 57.0% Revenue from advertising 48.2% Have CPO or equivalent 78.1% Privacy Policy on website 57.9% 24
    25. 25. Ad and analytics Ad or analytic provider percent Google analytics 82% Google ads 64% Flurry analytics 17% No ads 13% No analytics 13% 25
    26. 26. Advice 26
    1. A particular slide catching your eye?

      Clipping is a handy way to collect important slides you want to go back to later.

    ×