【正文】 potential applications for their device. 1. Do I believe this application will promise the security and function of my phone if I install it? 2. Do I trust this developer and their partners with access to my personal information? This leaves users left to leverage wordofmouth, market reviews and ratings, and the Android permissions display to assist users in making decisions that protect their mobile privacy and security. We conducted a series of 20 semistructured interviews to better understand how users navigate the Android Market, install and use thirdparty applications, and prehend the decisions they make at install time. In the remainder of this paper we will detail related work on users’ understanding of privacy and access control concepts as well as the current state of Android security/permissions, our interview methodology, the demographics and expertise of our participants, and finally a collection of participant responses that qualitatively detail their ability to make decisions in the Android ecosystem. 2 Related Work A Conundrum of Permissions: Installing Applications on and Android Smartphone 3 While Android has only existed publicly since 2021, a significant amount of work has been conducted on studying the Android permissions/security model. Much of this work focuses on creating theoretical formalizations of how Android security works or presents improvements to the system security, and is largely out of scope. Eyck work with Taint Droid has bridged the gap between system security and userfacing permissions, focusing on analyzing which applications are requesting information through permissions and then sending that data off phone[4]. Follow up work by Hornyack et al. detailed a method for intercepting these leaked transmissions and replacing them with nonsensitive information [7]. This functionality would allow users postinstallation privacycontrol. In their investigation they detailed the current permission requests of the top 1100 applications in the Android Market as of November 2021. However, our work, which tests users’ understandings of the most mon of these permissions, finds users have great difficulty understanding the meaning of these terms. Thus, giving users the ability to limit on a casebycase basis would likely be ineffective without assistance. Work by Vida Has also studied how applications request permissions, finding prevalent “permissions creep,” due to “existing developer APIs [which] make it difficult for developers to align their permission requests with application functionality” [15].Felt in their Android Permissions Demystified work, attempt to further explain permissions to developers[5]. However, neither of these papers explores endusers understanding of permissions. In our own work we find users attempt to rationalize why applications request specific permissions, trying to understand the developers’ decisions, even if their understanding of these requests is flawed. Others who have looked at Android permissions have attempted to cluster applications that require similar permissions to simplify the current scheme [3] or have attempted a parison of modern smartphone permission systems [1]. Their work finds that Android permissions provide the most information to users, however our interviews show that much of the information provided is not understood. Research in privacy policies, financial privacy notices, and access control have all similarly shown that privacyrelated concepts and terms are often not well understood by users expected to make privacy decisions[9,10,14]. Our earlier work specifically investigated how the information display of privacy policies could influence understanding, focusing on standardized formats, terms, and definitions. While the Android ecosystem uses a standard format and terms, clear definitions are not readily available to users. A Conundrum of Permissions: Installing Applications on and Android Smartphone 4 3 Android Permissions and Display Android app permissions are displayed to users at the time they decide to install any thirdparty app through the Android Market on the web or on the phone. Apps downloaded from thirdparty app stores do not necessarily show full permissions on their websites, however upon installing the application package (APK) the user is presented with a permissions screen variant. Permissions are shown within the Android Market as detailed in the following diagram, Figure 1. A user browses applications using the view shown in Screen 1. Here there is a truncated description, information about ratings, reviews, screenshots, etc. If a user decides to install they click the button labeled with the price of the application, here FREE. This brings them to Screen 2, Fig 1 The figure above shows the workflow for installing applications and viewing application permissions. Screen 1 shows the Amazon Kindle application as displayed in the Android Market. If a user were to click ”FREE,” circled in red, they are shown Screen 2, which allows them to Accept permissions and install the application, or to click the ”Show” button which leads the user to Screens 3 and 4. Where they are given a short list of permissions. If users double tap the FREE button on Screen 1, they skip Screen 2 and essentially approve the permissions without reading. Though Screen 2 serves the sole purpose of an interstitial permissions display between the market and a purchase decision, the plete list of permissions is not displayed. To explore the full permission request they would click the more expander, bringing them to Screen 3. Here they would see a more plete list of per missions with some permission shown in red and a Show all button, which displays the entire list if toggled. At no point in this process is there an explicit way for user