Mobile platforms employ permission-granting mechanisms so that users can exert control over how third-party applications access their personal data. Some platforms take a paternalistic approach by relying on a review process before an application can be approved for public consumption. At the opposite end of the spectrum, other platforms aim for transparency by presenting users with a list of requested permissions every time an application is installed. The former approach is opaque and does not allow users to understand how their data will be used, whereas the latter approach results in habituation when users are bombarded with requests they either do not understand or do not find concerning. In this talk, I discuss how balancing transparency with concerns over habituation empowers users to make better decisions about their privacy and security. Specifically, I describe previous and ongoing human subjects research to replace unnecessary permission requests with audit mechanisms, how to improve necessary permission requests, as well as how to tell the difference.