Look before you Authorize: Using Eye-Tracking to Enforce User Attention towards Application Permissions

Open access


Habituation is a key factor behind the lack of attention towards permission authorization dialogs during third party application installation. Various solutions have been proposed to combat the problem of achieving attention switch towards permissions. However, users continue to ignore these dialogs, and authorize dangerous permissions, which leads to security and privacy breaches.

We leverage eye-tracking to approach this problem, and propose a mechanism for enforcing user attention towards application permissions before users are able to authorize them. We deactivate the dialog’s decision buttons initially, and use feedback from the eye-tracker to ensure that the user has looked at the permissions. After determining user attention, the buttons are activated. We implemented a prototype of our approach as a Chrome browser extension, and conducted a user study on Facebook’s application authorization dialogs. Using participants’ permission identification, eye-gaze fixations, and authorization decisions, we evaluate participants’ attention towards permissions. The participants who used our approach on authorization dialogs were able to identify the permissions better, compared to the rest of the participants, even after the habituation period. Their average number of eye-gaze fixations on the permission text was significantly higher than the other group participants. However, examining the rate in which participants denied a dangerous and unnecessary permission, the hypothesized increase from the control group to the treatment group was not statistically significant.

[2] The eye tribe tracker. https://theeyetribe.com.

[3] Facebook security issue: Facebook color scam, back again. https://developers.facebook.com/docs/facebook-login/login-flow-for-web/v2.2.

[4] The ‘most used words’ facebook quiz app accused of data stealing. http://www.forbes.com/sites/amitchowdhry/2015/11/29/the-most-used-words-facebook-quiz-app/#73c615c14bb6.

[5] Facebook login flow. http://www.cmcm.com/blog/2014-08-07/348.html, 2014.

[6] B. B. Anderson, C. B. Kirwan, J. L. Jenkins, D. Eargle, S. Howard, and A. Vance. How polymorphic warnings reduce habituation in the brain–insights from an fmri study. In CHI. ACM, 2015.

[7] M. Arianezhad, L. J. Camp, T. Kelley, and D. Stebila. Comparative eye tracking of experts and novices in web single sign-on. In Proceedings of the third ACM conference on Data and application security and privacy, pages 105–116. ACM, 2013.

[8] A. Besmer, J. Watson, and H. R. Lipford. The impact of social navigation on privacy policy configuration. In SOUPS, 2010.

[9] C. Bravo-Lillo, L. Cranor, S. Komanduri, S. Schechter, and M. Sleeper. Harder to ignore? revisiting pop-up fatigue and approaches to prevent it. In 10th Symposium On Usable Privacy and Security (SOUPS 2014), pages 105–111, Menlo Park, CA, July 2014. USENIX Association.

[10] C. Bravo-Lillo, S. Komanduri, L. F. Cranor, R. W. Reeder, M. Sleeper, J. Downs, and S. Schechter. Your attention please: Designing security-decision uis to make genuine risks harder to ignore. In Proceedings of the Ninth Symposium on Usable Privacy and Security, SOUPS ’13, pages 6:1–6:12, New York, NY, USA, 2013. ACM.

[11] P. H. Chia, Y. Yamamoto, and N. Asokan. Is this app safe?: a large scale study on application permissions and risk signals. In Proceedings of the 21st international conference on World Wide Web, pages 311–320. ACM, 2012.

[12] S. Egelman. My profile is my password, verify me!: the privacy/convenience tradeoff of facebook connect. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, pages 2369–2378. ACM, 2013.

[13] A. P. Felt, E. Ha, S. Egelman, A. Haney, E. Chin, and D. Wagner. Android permissions: User attention, comprehension, and behavior. In Proceedings of the Eighth Symposium on Usable Privacy and Security, page 3. ACM, 2012.

[14] S. Furman and M. Theofanos. Preserving privacy–more than reading a message. In Universal Access in Human-Computer Interaction. Design for All and Accessibility Practice, pages 14–25. Springer, 2014.

[15] M. Harbach, M. Hettig, S. Weber, and M. Smith. Using personal examples to improve risk communication for security & privacy decisions. In Proceedings of the 32Nd Annual ACM Conference on Human Factors in Computing Systems, CHI ’14, pages 2647–2656, New York, NY, USA, 2014. ACM.

[16] M. J. Kalsher and K. J. Williams. Behavioral compliance: Theory, methodology, and results. Handbook of warnings, pages 313–329, 2006.

[17] D. Miyamoto, T. Iimura, G. Blanc, H. Tazaki, and Y. Kadobayashi. Eyebit: Eye-tracking approach for enforcing phishing prevention habits. In 2014 Third International Workshop on Building Analysis Datasets and Gathering Experience Returns for Security (BADGERS), pages 56–65. IEEE, 2014.

[18] M. S. Rahman, T.-K. Huang, H. V. Madhyastha, and M. Faloutsos. Frappe: detecting malicious facebook applications. In Proceedings of the 8th international conference on Emerging networking experiments and technologies, pages 313–324. ACM, 2012.

[19] B. P. Sarma, N. Li, C. Gates, R. Potharaju, C. Nita-Rotaru, and I. Molloy. Android permissions: A perspective combining risks and benefits. In Proceedings of the 17th ACM Symposium on Access Control Models and Technologies, SACMAT ’12, pages 13–22, New York, NY, USA, 2012. ACM.

[20] E. Steel and G. A. Fowler. Facebook in privacy breach. http://www.wsj.com/articles/SB10001424052702304772804575558484075236968, Oct. 2010.

[21] T. Whalen and K. M. Inkpen. Gathering evidence: Use of visual security cues in web browsers. In Proceedings of Graphics Interface 2005, GI ’05, pages 137–144, School of Computer Science, University of Waterloo, Waterloo, Ontario, Canada, 2005. Canadian Human-Computer Communications Society.

Journal Information

Cited By


All Time Past Year Past 30 Days
Abstract Views 0 0 0
Full Text Views 187 187 30
PDF Downloads 116 116 12