App reviews, usable workflows, and feedback loops

SECURITY | Written on 23 December 2013. Last edited on 29 October 2014.

There’s been a lot of discussion lately about iOS apps showing users modal dialogues requesting that they rate the app on the App Store. Like this (from Eff Your Review):

effyr_instagram effyr_vine effyr_facebook

The forces encouraging this behavior are complex, and relate to issues of discoverability and ranking in the App Store. There’s been debate about how to curtail these¹.

My lab likes to think about app markets as a place where feedback loops exist, and part of our research into improving the security and privacy of apps (particularly with permission systems) relies on feedback from a user affecting the marketplace itself. Here’s a flowchart of the entire thing from one of David Wagner’s overview talks:

App Flowchart

There’s been work to provide tools to improve apps (to help developers reduce overprivileging their apps², to detect insecure use of APIs³, etc.), or to improve the platform⁴ (making permissions clearer, showing warnings to users at the right time, avoiding habituation). But we make a big assumption:

Not all users need to notice or understand all warnings or notifications for these new systems to be effective — if some fraction of users do notice, and provide feedback back into the marketplace or to the developers when undesirable behavior occurs, then these systems can still have a positive effect on the quality of apps on a platform.

This assumption is primarily based on research that shows that app reviews are one of the most significant factors in a user’s decision to install an app⁵. So if some users notice misbehaviors or warnings, and understand them, then they can write good reviews using them, helping all of the novice users that only look over reviews when considering apps.

But is this actually enough? Can we really say that because some users could write better reviews that our work could actually lead to better app markets?

The recent app rating brouhaha seems particularly relevant. App markets and platforms need to help out enough to make this work:

Users need to be encouraged to write reviews. This is particularly important for apps that user don’t keep installed.
Useful reviews should be easy to write. Platforms probably need to hold users’ hands.
Reviews need to be easy to read, with useful information pulled out for easy access to users skimming applications. App markets need to be more like Amazon than the iOS App Store: ranking reviews on recency and usefulness, pulling out key points common across a lot of reviews, verified reviews, etc.
Fake reviews and ratings need to be curbed. This includes apps begging for reviews.
Rankings and listings in the market should be holistic and well-developed.

We don’t really have any of this on any mobile platform currently, but I think any of them would make for a much better app market.

Footnotes

Can Apple ban them? I’d argue you could get pretty far with static analysis tools, but that’s for another post… ↩
Android Permissions Demystified, by Adrienne Porter Felt et al., developed a tool called Stowaway to detect overprivileged of android apps. ↩
Analyzing Inter-Application Communication in Android, by Erika Chin et al., developed comdroid to detect insecure use of intents. ↩
A lot of work has been done on redesigning permission systems for Android: What’s wrong with permissions, how to ask for permission for different resources, the benefits of automatically granting low risk permissions, etc. This has been a big research area for students of my advisor, David Wagner, and the SCRUB center. ↩
Android permissions: user attention, comprehension, and behavior, by Adrienne Porter Felt et al., SOUPS ‘12. ↩