Computer operating systems, and now websites that serve as application platforms, are increasingly adopting stricter application security models; they restrict the resources applications can access to those authorized by the user. Users are asked to authorize access to these resources either when the application is installed or when previously-unauthorized resources are required. For example, Facebook requires its 400+ million users to make authorization decisions whenever an application first tries to run within a user’s account. The Android mobile phone OS requires its millions of users to make application authorization decisions when downloading new applications. While the security of these users ’ systems and data increasingly rests on their ability to make these authorization decisions, there is little research to guide thos
To submit an update or takedown request for this paper, please submit an Update/Correction/Removal Request.