research-article

Are You Ready to Lock?

Authors:
Serge Egelman

University of California, Berkeley & International Computer Science Institute, Berkeley, CA, USA

University of California, Berkeley & International Computer Science Institute, Berkeley, CA, USA
View Profile

,
Sakshi Jain

University of California, Berkeley, Berkeley, CA, USA

University of California, Berkeley, Berkeley, CA, USA
View Profile

,
Rebecca S. Portnoff

University of California, Berkeley, Berkeley, CA, USA

University of California, Berkeley, Berkeley, CA, USA
View Profile

,
Kerwell Liao

Google, Inc., Mountain View, CA, USA

Google, Inc., Mountain View, CA, USA
View Profile

,
Sunny Consolvo

Google, Inc., Mountain View, CA, USA

Google, Inc., Mountain View, CA, USA
View Profile

,
David Wagner

University of California, Berkeley, Berkeley, CA, USA

University of California, Berkeley, Berkeley, CA, USA
View Profile

CCS '14: Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications SecurityNovember 2014Pages 750–761https://doi.org/10.1145/2660267.2660273

Published:03 November 2014Publication History

CCS '14: Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security

Pages 750–761

ABSTRACT

In addition to storing a plethora of sensitive personal and work information, smartphones also store sensor data about users and their daily activities. In order to understand users' behaviors and attitudes towards the security of their smartphone data, we conducted 28 qualitative interviews. We examined why users choose (or choose not) to employ locking mechanisms (e.g., PINs) and their perceptions and awareness about the sensitivity of the data stored on their devices. We performed two additional online experiments to quantify our interview results and the extent to which sensitive data could be found in a user's smartphone-accessible email archive. We observed a strong correlation between use of security features and risk perceptions, which indicates rational behavior. However, we also observed that most users likely underestimate the extent to which data stored on their smartphones pervades their identities, online and offline.

References

Andriotis, P., Tryfonas, T., Oikonomou, G., and Yildiz, C. A pilot study on the security of pattern screen-lock methods and soft side channel attacks. In Proceedings of the Sixth ACM Conference on Security and Privacy in Wireless and Mobile Networks, WiSec '13, ACM (New York, NY, USA, 2013), 1--6. Google ScholarDigital Library
Apple, Inc. Find My iPhone, 2014. http://www.apple.com/icloud/find-my-iphone.html.Google Scholar
Aviv, A. J., Gibson, K., Mossop, E., Blaze, M., and Smith, J. M. Smudge attacks on smartphone touch screens. In Proceedings of the 4th USENIX Conference on Offensive Technologies, WOOT'10, USENIX Association (Berkeley, CA, USA, 2010), 1--7. Google ScholarDigital Library
Aviv, A. J., Sapp, B., Blaze, M., and Smith, J. M. Practicality of accelerometer side channels on smartphones. In Proceedings of the 28th Annual Computer Security Applications Conference, ACSAC '12, ACM (New York, NY, USA, 2012), 41--50. Google ScholarDigital Library
Becher, M., Freiling, F. C., Hoffmann, J., Holz, T., Uellenbeck, S., and Wolf, C. Mobile security catching up? revealing the nuts and bolts of the security of mobile devices. In Proceedings of the 2011 IEEE Symposium on Security and Privacy, SP '11, IEEE Computer Society (Washington, DC, USA, 2011), 96--111. Google ScholarDigital Library
Bonneau, J., Herley, C., Oorschot, P. C. v., and Stajano, F. The quest to replace passwords: A framework for comparative evaluation of web authentication schemes. In Proceedings of the 2012 IEEE Symposium on Security and Privacy, SP '12, IEEE Computer Society (Washington, DC, USA, 2012), 553--567. Google ScholarDigital Library
Bonneau, J., Preibusch, S., and Anderson, R. A birthday present every eleven wallets? The security of customer-chosen banking PINs. In FC '12: Proceedings of the the Sixteenth International Conference on Financial Cryptography (March 2012).Google ScholarCross Ref
Boyles, J. L., Smith, A., and Madden, M. Privacy and data management on mobile devices, September 5 2012. http://www.pewinternet.org/2012/09/05/privacy-and-data-management-on-mobile-devices/.Google Scholar
Broida, R. How to improve your chances of recovering a lost android phone, February 20 2013. http://www.pcworld.com/article/2028782/.Google Scholar
Chiang, H.-Y., and Chiasson, S. Improving user authentication on mobile devices: A touchscreen graphical password. In Proceedings of the 15th International Conference on Human-computer Interaction with Mobile Devices and Services, MobileHCI '13, ACM (New York, NY, USA, 2013), 251--260. Google ScholarDigital Library
Chin, E., Felt, A. P., Sekar, V., and Wagner, D. Measuring user confidence in smartphone security and privacy. In Proceedings of the Eighth Symposium on Usable Privacy and Security, ACM (2012), 1. Google ScholarDigital Library
De Luca, A., Hang, A., Brudy, F., Lindner, C., and Hussmann, H. Touch me once and i know it's you!: Implicit authentication based on touch screen patterns. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, CHI '12, ACM (New York, NY, USA, 2012), 987--996. Google ScholarDigital Library
De Luca, A., Harbach, M., von Zezschwitz, E., Maurer, M.-E., Slawik, B. E., Hussmann, H., and Smith, M. Now you see me, now you don't: Protecting smartphone authentication from shoulder surfers. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, CHI '14, ACM (New York, NY, USA, 2014), 2937--2946. Google ScholarDigital Library
De Luca, A., von Zezschwitz, E., Nguyen, N. D. H., Maurer, M.-E., Rubegni, E., Scipioni, M. P., and Langheinrich, M. Back-of-device authentication on smartphones. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, CHI '13, ACM (New York, NY, USA, 2013), 2389--2398. Google ScholarDigital Library
Duggan, M. Cell phone activities 2013, September 19 2013. http://www.pewinternet.org/2013/09/19/cell-phone-activities-2013/.Google Scholar
Dunphy, P., Heiner, A. P., and Asokan, N. A closer look at recognition-based graphical passwords on mobile devices. In Proceedings of the Sixth Symposium on Usable Privacy and Security, SOUPS '10, ACM (New York, NY, USA, 2010), 3:1--3:12. Google ScholarDigital Library
Fox, S. 51% of u.s. adults bank online, August 7 2013. http://www.pewinternet.org/2013/08/07/51-of-u-s-adults-bank-online/.Google Scholar
Frank, M., Biedert, R., Ma, E., Martinovic, I., and Song, D. Touchalytics: On the applicability of touchscreen input as a behavioral biometric for continuous authentication. Information Forensics and Security, IEEE Transactions on 8, 1 (Jan 2013), 136--148.Google Scholar
Glaser, B. G., and Strauss, A. L. The Discovery of Grounded Theory: Strategies for Qualitative Research. Aldine Publishing Company, Chicago, 1967.Google Scholar
Hang, A., von Zezschwitz, E., De Luca, A., and Hussmann, H. Too much information!: User attitudes towards smartphone sharing. In Proceedings of the 7th Nordic Conference on Human-Computer Interaction: Making Sense Through Design, NordiCHI '12, ACM (New York, NY, USA, 2012), 284--287. Google ScholarDigital Library
Harbach, M., von Zezschwitz, E., Fichtner, A., Luca, A. D., and Smith, M. It\textquoterights a hard lock life: A field study of smartphone (un)locking behavior and risk perception. In Symposium On Usable Privacy and Security (SOUPS 2014), USENIX Association (Menlo Park, CA, July 2014), 213--230.Google Scholar
Hayashi, E., Riva, O., Strauss, K., Brush, A., and Schechter, S. Goldilocks and the two mobile devices: going beyond all-or-nothing access to a device's applications. In Proceedings of the Eighth Symposium on Usable Privacy and Security, ACM (2012), 2. Google ScholarDigital Library
Herley, C. So long, and no thanks for the externalities: the rational rejection of security advice by users. In New Security Paradigms Workshop (2009), 133--144. Google ScholarDigital Library
Hitti, M. Put 'ice' on your cell phone. WebMD Health News, October 16 2006. http://www.webmd.com/news/20061016/put-ice-on-your-cell-phone.Google Scholar
Karlson, A. K., Brush, A., and Schechter, S. Can i borrow your phone?: understanding concerns when sharing mobile phones. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, ACM (2009), 1647--1650. Google ScholarDigital Library
Lookout. Mobile lost & found: Your phone's favorite hiding places, March 22 2012. https://blog.lookout.com/blog/2012/03/22/.Google Scholar
Riva, O., Qin, C., Strauss, K., and Lymberopoulos, D. Progressive authentication: deciding when to authenticate on mobile phones. In Proceedings of the 21st USENIX Security Symposium (2012). Google ScholarDigital Library
Sae-Bae, N., Ahmed, K., Isbister, K., and Memon, N. Biometric-rich gestures: A novel approach to authentication on multi-touch devices. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, CHI '12, ACM (New York, NY, USA, 2012), 977--986. Google ScholarDigital Library
Schaub, F., Walch, M., Könings, B., and Weber, M. Exploring the design space of graphical passwords on smartphones. In Proceedings of the Ninth Symposium on Usable Privacy and Security, SOUPS '13, ACM (New York, NY, USA, 2013), 11:1--11:14. Google ScholarDigital Library
Schechter, S., Brush, A. B., and Egelman, S. It's no secret. measuring the security and reliability of authentication via. In Proceedings of the 2009 IEEE Symposium on Security and Privacy, IEEE Computer Society (Los Alamitos, CA, USA, 2009), 375--390. Google ScholarDigital Library
Serwadda, A., and Phoha, V. V. When kids' toys breach mobile phone security. In Proceedings of the 2013 ACM SIGSAC Conference on Computer & Communications Security, CCS '13, ACM (New York, NY, USA, 2013), 599--610. Google ScholarDigital Library
Simon, L., and Anderson, R. Pin skimmer: Inferring pins through the camera and microphone. In Proceedings of the Third ACM Workshop on Security and Privacy in Smartphones & Mobile Devices, SPSM '13, ACM (New York, NY, USA, 2013), 67--78. Google ScholarDigital Library
Starr, C., Rudman, R., and Whipple, C. Philosophical basis for risk analysis. Annual Review of Energy 1 (November 1976), 629--662.Google Scholar
Takada, T., and Kokubun, Y. Extended pin authentication scheme allowing multi-touch key input. In Proceedings of International Conference on Advances in Mobile Computing & Multimedia, MoMM '13, ACM (New York, NY, USA, 2013), 307:307--307:310. Google ScholarDigital Library
Uellenbeck, S., Dürmuth, M., Wolf, C., and Holz, T. Quantifying the security of graphical passwords: The case of android unlock patterns. In Proceedings of the 2013 ACM SIGSAC Conference on Computer & Communications Security, CCS '13, ACM (New York, NY, USA, 2013), 161--172. Google ScholarDigital Library
Van Bruggen, D., Liu, S., Kajzer, M., Striegel, A., Crowell, C. R., and D'Arcy, J. Modifying smartphone user locking behavior. In Proceedings of the Ninth Symposium on Usable Privacy and Security, SOUPS '13, ACM (New York, NY, USA, 2013), 10:1--10:14. Google ScholarDigital Library
Von Zezschwitz, E., Dunphy, P., and De Luca, A. Patterns in the wild: a field study of the usability of pattern and pin-based authentication on mobile devices. In Proceedings of the 15th international conference on Human-computer interaction with mobile devices and services, ACM (2013), 261--270. Google ScholarDigital Library
von Zezschwitz, E., Koslow, A., De Luca, A., and Hussmann, H. Making graphic-based authentication secure against smudge attacks. In Proceedings of the 2013 International Conference on Intelligent User Interfaces, IUI '13, ACM (New York, NY, USA, 2013), 277--286. Google ScholarDigital Library
Wright, S. The symantec smartphone honey stick project. Tech. rep., Symantec, 2012.Google Scholar
Zhao, Z., Ahn, G.-J., Seo, J.-J., and Hu, H. On the security of picture gesture authentication. In Proceedings of the 22Nd USENIX Conference on Security, SEC'13, USENIX Association (Berkeley, CA, USA, 2013), 383--398. Google ScholarDigital Library

Index Terms

Are You Ready to Lock?
1. Security and privacy
  1. Security services
    1. Access control
    2. Authentication
  2. Systems security
    1. Operating systems security

Recommendations

Android Applications Repackaging Detection Techniques for Smartphone Devices

The problem of malwares affecting Smartphones has been widely recognized by the researchers across the world. Majority of these malwares target Android OS. Studies have found that most of the Android malwares hide inside repackaged apps to get inside ...
Read More
Permission-Educator: App for Educating Users About Android Permissions
Intelligent Human Computer Interaction
Abstract
Cyberattacks and malware infestation are issues that surround most operating systems (OS) these days. In smartphones, Android OS is more susceptible to malware infection. Although Android has introduced several mechanisms to avoid cyberattacks, ...
Read More
AppInk: watermarking android apps for repackaging deterrence
ASIA CCS '13: Proceedings of the 8th ACM SIGSAC symposium on Information, computer and communications security

With increased popularity and wide adoption of smartphones and mobile devices, recent years have seen a new burgeoning economy model centered around mobile apps. However, app repackaging, among many other threats, brings tremendous risk to the ecosystem,...
Read More

Comments

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Published in
CCS '14: Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security
November 2014
1592 pages
ISBN:9781450329576
DOI:10.1145/2660267
General Chair:
Gail-Joon Ahn
Arizona State University, USA
,
Program Chairs:
Moti Yung
Google -- Columbia University, USA
,
Ninghui Li
Purdue University, USA
Copyright © 2014 ACM
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].
Sponsors
In-Cooperation
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
- Published: 3 November 2014
Permissions
Request permissions about this article.
Request Permissions

Check for updates
Author Tags
human behavior
risk perceptions
smartphone security
Qualifiers
- research-article
Conference

Acceptance Rates
CCS '14 Paper Acceptance Rate114of585submissions,19%Overall Acceptance Rate1,261of6,999submissions,18%
More
Upcoming Conference
CCS '24

Sponsor:

sigsac

ACM SIGSAC Conference on Computer and Communications Security

October 14 - 18, 2024

Salt Lake City , UT , USA
Funding Sources
Other Metrics
View Article Metrics

Article Metrics
- 124
  Total Citations
  View Citations
- 1,244
  Total Downloads
- Downloads (Last 12 months)47
- Downloads (Last 6 weeks)5
Other Metrics
View Author Metrics
Cited By
View all

PDF Format

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Are You Ready to Lock?

CCS '14: Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security

ABSTRACT

References

Cited By

Index Terms

Recommendations

Android Applications Repackaging Detection Techniques for Smartphone Devices

Permission-Educator: App for Educating Users About Android Permissions

AppInk: watermarking android apps for repackaging deterrence