Helping John to Make Informed Decisions on Using Social Login

Users make two privacy-related decisions when signing up for a new Service Provider (SP): (1) whether to use an existing Single Sign-On (SSO) account of an Identity Provider (IdP), or not, and (2) the information the IdP is allowed to share with the SP under specific conditions. From a privacy point of view, the use of existing social network-based SSO solutions (i.e. social login) is not recommended. This advice, however, comes at the expense of security, usability, and functionality. Thus, in principle, it should be up to the user to consider all advantages and disadvantages of using SSO and to consent to requested permissions, provided that she is well informed. Another issue is that existing social login sign-up interfaces are often not compliant with legal privacy requirements for informed consent and Privacy by Default. Accordingly, our research focuses on enabling informed decisions and consent in this context. To this end, we identified users’ problems and usability issues from the literature and an expert cognitive walkthrough.We also elicited end user and legal privacy requirements for user interfaces (UIs) providing informed consent. This input as used to develop a tutorial to inform users on the pros and cons of sign-up methods and to design SSO sign-up UIs for privacy. A between-subject laboratory study with 80 participants was used to test both the tutorial and the UIs. We demonstrate an increase in the level to which users are informed when deciding and providing consent in the context of social login

Profile Analysis of Mobile Application Security

ABSTRACT This thesis conducts profile analysis on the mobile application security using peer-review articles that were published from 2010 to 2018. From the analysis, we will identify prolific authors, intuitions, and geographic regions as well as the topics addressed by the articles. The profile analysis will reveal most frequently used research methods, research approaches (quantitative, qualitative and mixed), and theories used to study the field. This thesis reveals that none of the researchers have made significant contributions to the field, and researches are not collaborating to solve their research problems. The profile analysis shows that surveys and experiments are the most utilized research methods, and most researchers studied the field at a higher level, i.e., security was the focus of the research but did not go deeper into various aspects of security such as privacy, security vulnerabilities, and mobile application security best practices

Assessments of a Cloud-Based Data Wallet for Personal Identity Management

Within a project developing cloud technology for identity access management, usability tests of mockups of a mobile app identity provider were conducted to assess users’ consciousness of data disclosures in consent forms and flow of authentication data. Results show that using one’s fingerprint for giving consent was easy, but most participants had not a correct view of where the fingerprint data is used and what entities would have access to it. Familiarity with ID apps appeared to aggravate misunderstanding. In addition, participants could not well recall details of personal data releases and settings for disclosure options. An evaluation with a confirmation screen slightly improved recall rate. However, some participants voiced a desire to have control over their data and expressed a wish to manually select mandatory information. This can be a way of slowing users down and make them reflect more.CREDENTIA