5

Skeuomorphic design is common in desktop computer and mobile telephone applications. Sometimes interfaces and cues from the real world are used to good effect (swiping to move backwards and forwards in a eBook) and sometimes to terrible effect (rotary dials that need precise circular mouse motions on oscilloscopes).

Whilst these often cause limitations and problems in terms of usability and accessibility, are there any examples of skeuomorphic design leading to a security vulnerability?

An example I can think of - most intruder alarm panels use numeric keypads (with some special keys) and limited size (2 rows x 40 chars) LCD displays. This limits both input (limited alphabet for codes) and the output (status updates are often like "ZN 3 INPT OMIT"). If a mobile phone app to control the alarm mimics the panel exactly, we are still constrained by the same limits.

AviD
  • 72,708
  • 22
  • 137
  • 218
Cybergibbons
  • 1,201
  • 2
  • 9
  • 21
  • 1
    +1. This actually a very good question. That the questioner had to explain an unusual design concept in order to ask it, doesn't make it a bad question. – LateralFractal Oct 06 '13 at 09:07
  • 1
    Thanks - I think it is an interesting question. I don't think that security considers UI design enough. – Cybergibbons Oct 06 '13 at 09:10
  • You might want to rephrase the question as 'Can skeuomorphic UI design create security vulnerabilities?'; otherwise the question may be seen as an open-ended list question. – LateralFractal Oct 06 '13 at 09:10
  • 1
    @Cybergibbons I agree about the "not enough", but it is considered at times, at least by the smarter security professionals... E.g. See my answer [here](http://security.stackexchange.com/a/6116/33), and the question itself... – AviD Oct 06 '13 at 10:36

1 Answers1

4

Skeuomorphic design is tempting: To differentiate a product from its competitors; but at the cost of reinventing the (UI) wheel and creating absurd learning hurdles for users. No website should be so unique as to exceed a user's motivation to learn how to use it.

For security, there are few consequences of using skeuomorphic design (especially where skeuomorphism isn't the de facto UI element):

  • Loss of information: The chrome of Skeuomorphic UI reduces or prohibits visibility of important security context information for the user. For example, a web browser pretending to be a "racing car windscreen" or Tron-style virtual world hides the website address as "too 2D/old skool" and not "skeuomorphic".
  • Drowns out high priority information: The security information might be visible on the screen but camouflaged as an innocuous UI element. For example, a remote gardening program displayed as a planet nursery could have connectivity errors and warnings displayed as a cutesy wilted pot-plant. The information was there but not especially modal or explicit.
  • Culturally ambiguous: Translating security and safety text between languages is hard enough, skeuomorphic design assumes the underlying product ever existed in that culture. For example, a red bulb on a skeuomorphic internet radio application might mean something quite different in non-western cultures.
  • Hard to navigate: Most skeuomorphic applications are only visually skeuomorphic, with none of the ease and speed of use of the original 3D object; this can result in mistakes or delays that can have serious consequences in quick-reflex/high-security scenarios. For example, checking the current fuel level of car shouldn't involve dragging a visual dipstick in and out of a tank on a touchscreen.
  • Can not use pre-tested third party libraries: Each skeuomorphic application has custom UI otherwise why bother? Hence the security of the interface layer does not benefit from the "many eyes - shallow bugs" effect of common third party resources. For example, your checkbook application looking like a physical checkbook instead using international standards for checking information.
  • Difficult to audit if business logic in UI: No idea if the application is leaking information it shouldn't. Security auditors have to learn each application's custom UI to review it. For example, when website UI conventions did not exist, the pi symbol in that The Net movie was plausible on website front page.
LateralFractal
  • 5,173
  • 18
  • 41
  • Sure, bad design is not unique to skeuomorphism, but it is prevalent. It is also almost *required*, by definition. Almost. And a using a bunch of custom frameworks for skeuomorphism *does* make it much harder to audit, since there are no standard libraries for this (as the post makes the point). – AviD Oct 06 '13 at 10:43
  • I really like this answer - it looks at this from a number of viewpoints that I hadn't even considered. – Cybergibbons Oct 06 '13 at 16:11
  • 1
    Do you mean "potted plant"? At least where I live, "pot plant" refers to something illegal. – Michael Hampton Oct 07 '13 at 18:14
  • @MichaelHampton :-) Yes I meant a potted plant. I do often forget the *420 Blaze It* community. – LateralFractal Oct 07 '13 at 21:32