The assessment of security and privacy of smartphone apps has been a task for IT professionals so far. What if users could decide for themselves if they regard an app as a security risk? How would they assess? These questions were answered by an interdisciplinary research team of political and computer scientists in the DatSec4App project at MCIR (now BIDT). They have developed a tool to give recommendations to different types of users: Does the app suit me and my security needs or does it not?
The computer scientists at the Fraunhofer Institute AISEC used their analysis tool App-Ray. It allows assessments of the risks for data protection and security of smartphone apps from a technical point of view. The political scientists at the Bundeswehr University Munich supplemented this technical assessment with the subjective view of the users: they interviewed around 2000 smartphone users aged between 13 and 65 and discovered five different user types with the help of a cluster analysis. This makes it possible to make recommendations fitting the user's sense of security.
Whether you would install and use the barcode scanner at all - if you knew what the app does and can do - depends on which user type you are: Are you the Carefree, the Security-Critical, the Control-Believer? Are you a teenager or an adult? Do you scan the barcode with your business phone or your private smartphone?
The Security-Critical is very cautious with his personal data and worries that the security of his data is threatened by criminals, the state or data-collecting companies. The Control-Believer is also very cautious when it comes to the disclosure of his personal information. But he relies on the effectiveness of control and protection mechanisms of corporations and governments. He feels more secure when he has control over the functions and access rights of apps. The Carefree is more generous with his data. He is more willing to disclose personal information and trusts third parties to handle his data fairly. In case of doubt he doesn't want to know exactly.
Surprisingly, if a business phone is used, users are rather generous with personal data on their smartphones. Similarly, most companies do not provide their employees with security specifications for downloading and using apps. Young users are relatively generous and trustworthy when it comes to revealing personal data and the use of this data by apps. However, they are reluctant with photos if they not only show themselves, but also their friends.
The interdisciplinary team has succeeded in integrating this subjective assessment of user types into App-Ray. Smartphone users can now view the security assessment of an app from their own perspective. It takes very little to do this: just answer five questions and you know which user type you are most similar to. And then you can start downloading the apps or deliberately avoid them.