AppEsteem Blog

Security-reducing apps: a call to action

(Hong Jia and Dennis Batchelder)

We think that many AVs need to update their (potentially) unwanted software policies to make sure they can block apps that reduce security without first obtaining informed user consent. We gave a talk yesterday at AVAR 2022 in Singapore to make our case, show which AVs are currently struggling with protecting their customers against these apps, and ask them to update their policies so their customers can be better protected.

You can see the slides we used for the presentation here.

This was our abstract:

As Avs get better operationalized in their fight against unwanted software (UwS), their combined pressure is driving the software monetization industry toward finding the gaps in AV policies so they can continue to exploit consumers for easy money.

The big gap in AV policies these days, unfortunately, is around apps that make their computers more vulnerable to attacks. The result? A proliferation of apps that needlessly reduce their customers’ security postures and set them up for future attacks, without first obtaining informed user consent. Examples of these apps include VPNs that install self-signed trusted root certificates and free apps that monetize by installing proxies that share their internet connection and processor.

Lately these security-reducing apps that don’t obtain informed consent are grabbing public attention: articles about them are popping up in both security blogs and computer industry news. Some platforms and AVs are beginning to respond – they detect after others have called them out. But the platforms and AVs have been slow to update their policies, and slow to detect these apps as UwS, which leaves a gap that software monetizers continue to exploit.

Our session will show examples of how these apps reduce their customers’ security postures. We will highlight the platform and AV public policy gaps that have led to the spread of them. We’ll make suggestions as to how Avs can enhance their policies to better protect their customers from these apps.

Redefining the fight against Ad Pollution

(Dennis Batchelder and Hong Jia - 3 November 2022)

First, we’ll start with the bad news. Unfair advertising pollutes every consumer’s browsing experience, and it sure seems like an impossible problem to solve. Who’s going to tell the big tech giants what to do, anyway? They control most browsers, search engines, and advertising, and they own many of the most popular websites – who can stand up to that?

But, as you might have expected, we have good news for you. Today we launched a way to fight ad pollution. It uses the same successful model we developed in our fight against unfair software apps, so we know it can work. You can read about the launch in our press release here.

About the model we’re using: we designed it around our belief that the best way to drive change in the software monetizer ecosystem was to split apps into three buckets: unwanted, potentially unwanted, and clean. After many pivots, trials, and assistance, we landed on three key initiatives:

  1. Define (and get them accepted) the rules for what makes an app unwanted.
  2. Raise urgency by publicly calling out the unwanted apps (we called them Deceptors).
  3. Work with the security industry to develop well-defined rules for what makes an app clean.

Our model and these initiatives worked well against unfair apps. Now we’re going to apply it to unfair advertising, Today, we announced the following:

  1. The publication of our first set of Polluter Indicators – rules that identify the kinds of unfair advertising practices that hurt consumers and ruin their browsing experiences.
  2. The release of our first set of ad-tech companies that we consider Ad Polluters, and a public call to block their ads.
  3. A partnership program with the security and ad-blocking ecosystems to accelerate the fight against ad pollution. 

It’s a bit scary for our tiny company to call out these big names. But we’re convinced that their ad practices are both disrespectful and unfair to consumers, and that they need to change their behavior. We want the fight against ad pollution to extend beyond a theoretical privacy discussion; we want these companies held accountable for the mess they’ve made of internet browsing experiences. And we want them to change their ways, just like the software monetization industry has done.

Big tech wants us to believe that market forces alone can drive them to self-regulate, but looking at the awful state of ads today, we know this isn’t true. We see that as big tech dominates, the power of the consumer voice diminishes. Our fight against ad pollution is our attempt to bring the consumer perspective back to say which harmful and annoying advertising behaviors must be stopped.

Over the coming months we’ll update our Polluter list, announce browser tools that will automatically block just the ad polluters, give advice for how we think ad polluters should adjust their strategies, and work with partners to build up a strong enforcement ecosystem. We’d love to hear from you about our effort, or have you join us in the fight against ad pollution, or listen to your ideas on how we can improve. 

Thanks, please help us spread the word, and stay tuned!

Stop Interrupting! New ACR-013 goes live in April 2023

In April 2023, we'll start enforcing ACR-013 (you can find it on our ACR checklist), which is our attempt to help the software monetization industry get over their habit of making unrelated offers during critical moments of the software experience.

We want the industry to change their interrupting behavior, because we know that consumers are tricked into thinking that these kinds of offers and ads are part of the app, and that their acceptance is required. We don't want consumers to be tricked, so we worked with the anti-malware ecosystem and the platforms to come up with this new Deceptor-level requirement to stop this behavior.

Here's an real-life example: during an install of the Opera web browser, as the user clicks through their EULA and privacy policy acceptance and choosing their settings, their install experience is interrupted with an offer for an unrelated app (in this case, it was an offer for Hotspot Shield):

We believe that this interrupting behavior, especially when it occurs during an app's acquisition workflows (like install, upgrade, uninstall, purchase), is misleading, deceptive, and unwanted. Between now and the end of March, we'll work on notifying the software monetization industry about this change, including answering any questions they may have. Starting next April, we'll enforce this ACR: we won't certify apps that break it, and, at our discretion, we'll list apps breaking it on our active Deceptor list.

The ACR Checklist link above shows the exact requirement, the intent behind the requirement, and some practical guidance for how to be in compliance with it. If you have additional questions about your own implementation for ACR-013, we encourage you to get in touch with us at [email protected] We'll do our best to answer. You may also want to consider signing up for our one-time-review service, or our certification service, both of which can help you stay in compliance with all of our Application Certification Requirements.

 

 

 

 

Nine Ways Ad Pollution Ruins your Internet Browsing

By Keven Goh 

Introduction

Millions of people around the globe rely on the Internet for work, communication, research, and entertainment. However, along with the development of technology comes the inevitable rat race for profits. Companies have flooded the Internet with advertising. Advertising isn’t inherently bad; websites require an income to sustain themselves. However, when websites and advertising networks resort to unfair practices that annoy, harass, trick, or take advantage of consumers, they create ad pollution. This blog examines nine ways that ad pollution ruins your browsing experience.

1: Ad Pollution interrupts your browsing

Have you ever been peacefully browsing a website, just for a massive ad to pop up out of nowhere, blocking your entire screen? How about videos that are bisected by unskippable ads, making you forget what you just watched? Ad polluters seem to believe that by interrupting you, they’ll make more money.

2: Ad pollution disguises itself as content

Another trick ad polluters use is disguising themselves as a normal part of whatever website you’re looking at. One example is how native ads are designed to look like news articles. Another example is in search. If you’ve ever used a search engine, you’ve probably noticed that many of the returned items are ads, formatted and placed to look like actual search results. Consumers mistakenly click on these native ads and fake search results billions of times every day.

3: Ad Pollution distracts and annoys

It’s part of an ad’s job to try to get your attention, but ad polluters make the attention-grabbing way too excessive. We’ve all seen those ads that flood your computer with irritating notification sounds, or use flashy, bothersome videos as they attempt to get your attention.

4: Ad Pollution chases you

Sometimes ad pollution launches into a new browser window or tab without your consent. They try to act like this is part of your browser’s normal function. Maybe you’ve closed your browser, just to discover that some ad polluter secretly opened a separate window linking to their site. Often these ads keep opening other browser windows as soon as you close them.

5: Ad Pollution overwhelms you

Ad polluters may embed so many ads throughout a news article or blog that it’s impossible to pay attention to what you’re trying to read. While this may earn them more money, it makes it difficult to get what you wanted out of that site to begin with.

6: Ad Pollution tricks you into clicking

Have you ever tried to click “play” on a video, only for an ad to pop up below your cursor right before hitting the play button? Some ad polluters are even more direct, throwing pop-up ads at you even after content consumption begins, or forcing you to watch an ad for a set amount of time before getting to the content itself.

 

7: Ad Pollution disguises itself as website functions

How many times have you clicked on what you thought was a download button, only to discover that it was an ad that redirected you to a different website? What about play buttons or even exit buttons that are disguised as ads? This kind of ad pollution is especially annoying because they don’t even bother telling you what they’re advertising; they just trick you into clicking.

8: Ad Pollution targets you without permission

We’ve all been through it—we search for something, then get bombarded by ads based on that search across every other website we visit. Targeted ads make more money, and ad polluters turn on targeting by default, without your explicit consent. Maybe you clicked to allow cookies, but the supposed “consent” to use your own information to target you was buried deep inside a privacy policy.

9: Ad Pollution resists when you try to turn it off

Ad pollution doesn’t make it easy to disable. Turning off ad personalization might require sifting through pages of convoluted menus to find the right option. It may require you to enable other forms of personalization or data tracking, like third party cookies. And since many ads on websites are auctioned to the highest bidder, disabling one network’s ad personalization can still result in you being targeted by other ad networks. Furthermore, when you try to disable ad personalization, you may be threatened that you’ll just end up seeing more ads.

 

A vibrant security ecosystem *can* work

Last week, AppEsteem was mentioned in several news articles reporting on the VPN apps we listed as Deceptors. We listed them after our research showed these apps automatically installing self-signed trusted root certificates without informed user consent for the risk that this introduced.

Here’s some links to the news articles: one on techradar and one on cnet.

We are already seeing progress from some of these VPN apps to fix these Deceptor-level issues. Some of the apps now obtain informed consent; other apps are moving away from introducing this security risk. Both approaches bring a better, safer experience to consumers of VPN apps.

Driving change across an industry isn’t easy: the reason this worked is because of a vibrant security ecosystem:

  • Our AV partners use our research and feeds and usually detect/block active Deceptors and allow Certified apps. This is a direct way to let vendors know when they need to change, as it affects their ability to keep their apps on a consumer’s device.
  • Security articles in the media bring attention, encourage more AVs to use our research and feeds, and send a message to the vendor’s employees and investors that their app needs immediate attention.

We are excited by these developments and are looking forward to continuing to work with VPNs and other apps to help facilitate a safer online environment. We love how the security industry can work together to improve consumer safety!

 

Why Certified apps sometimes get detected

Antimalware products detect vendor-developed applications for a variety of reasons, usually revolving around their belief that the app is cheating, scaring, or tricking the consumer.

We offer vendor-developed apps a certification service so that a vendor can develop a consumer-respecting app, knowing they won’t be surprised by a detection. Our certification service verifies the app’s behavior, as well as the behavior of its ads, how it distributes, and its purchase, support, and call center methods. We offer a comprehensive, evolving checklist of Application Certification Requirements to help our customers stay compliant. These requirements have been thoroughly vetted over the past six years with many security companies.

Each security company releasing antimalware products maintains their own criteria for detecting vendor-developed applications. Usually these criteria align with our requirements, but sometimes we have differences. We strive to understand these differences by working with the security companies, so we can tell vendors how ensure their apps remain consumer-respecting and not detected.

One way we try to keep in sync with the security companies is by running tests. Every month we produce an Unwanted Software Handling Certification Test (we call it the DeceptorFighters Test for short) Report. In this test, we measure how well various antimalware products can block and allow vendor-developed applications.

To pass the test, an antimalware product needs to get a 95% score on blocking Deceptors and allowing Certified apps. We provide free feeds of all the apps in the test, and we allow the antimalware products to dispute our scores by telling us why their policies led them to allow the Deceptor app to run, or to block the Certified app.

We’ve been running this test for over three years, and we’ve figured out that the security companies behind the antimalware products we test are at various maturity levels for how they handle Unwanted Software (UwS) and Potentially Unwanted Apps (PUA).

Below we’ve mapped these maturity levels, from most to least mature, into the reasons why an antimalware product may detect a certified app.

DeceptorFighter antimalware products: they generally provide vendors and us with the actionable reasons why they detect Certified apps. They usually have well-published and well-understood policies for vendor-developed apps. They have a large enough staff handling vendor-developed apps to keep up with incoming disputes.

Contender antimalware products: we’ve seen they are actively working to distinguish between wanted and unwanted software. They have researchers dedicated to analyzing vendor-developed applications, and they publish their criteria. They can usually explain why they detect a Certified app, and they generally respond to our queries. We believe the security companies behind them are working on getting more mature in this area, and their antimalware products will soon be DeceptorFighters.

Potentially Unfair Blocking antimalware products: we notice that they claim to be great at detecting UwS and PUA, but ether they haven’t established public criteria for doing so, or they don’t have an efficient way for vendors to dispute these detections. Most of the security companies behind these products don’t communicate well with us, either, leaving vendors in the dark as to why they’re being detected. These security companies may be rewarded for their unfair detections by falsely claiming protection, driving up their own conversions to paid products.

Significant Effort Required antimalware products: we believe that the main reason these security companies detect Certified apps is because they don’t put any focus onto UwS or PUA. They may be great at detecting malware and ransomware, but their abilities to focus on vendor-developed applications is either unfunded or immature.

To think about why a Certified app is detected by an antimalware company, just map the security company into its corresponding maturity category:

  • First, it may be that a DeceptorFighter level antimalware product has provided the app its actionable reasons for detection, and the app has decided to not implement the fixes. Note that vendors of Certified apps have committed to fix issues as they are reported by antimalware companies, so if an app is being detected for this reason, the detection usually only lasts a few days.
  • Second, it could be that a Contender level antimalware product is still evaluating the app, and it will take some time (up to a few weeks) for them to clear it before they stop detecting it.
  • Third, a Potentially Unfair Blocking level antimalware product may be monetizing its detection, or they may have made a conscious decision to ignore disputes from vendors. Note that most of these vendors are small, with limited consumer market share.
  • Fourth, a Significant Effort Required antimalware product might have automation-level detection, with nobody monitoring the results.

We suggest that our customers focus on ensuring their Certified apps have no detections by DeceptorFighters and Contenders, because these security companies are mature enough to not only have well-understood policies, but also to have the staff in place to handle vendor disputes. Fortunately, the antimalware companies in these two categories make up the vast majority of the consumer market share.

Here’s a list of antimalware products that remained either DeceporFighters or Contenders for the entirety of last year (see the 2021 report here):

Meanwhile, we continue to try to work with all security companies. Our Deceptor and Certified feeds, as well as our ACRs, are available free of charge for security companies to use as they work to increase their own maturity levels in how they handle vendor-developed apps.

 

2021 Year in Review

Yuliya Boldyryeva

It’s that time of year again - the time to reflect on the events of the past year and think about everything that was accomplished (or not accomplished) throughout the year.

Whether or not you were able to undertake what you wanted in 2021, this is another year that will mark history on a global scale.

2021 has brought us hope that the pandemic is close to its end, with many people being able to get vaccinated, return back to their normal working environments and finally reunite with their coworkers, friends, and family. Many realized how much they missed being able to go out and enjoy attractions such as concerts and social events, others have adapted to the post-pandemic way of living and permanently changed their lifestyles. Either way, this has been a year of change and adaptation for all.

Although not for long (due to the omicron variant), our team was thankful to go back to our AppEsteem office and see each other in person again. We have all gotten used to the convenience of working from home, but we realized that it makes a big difference physically being in the same room with the team and discussing our ideas face-to-face with each other.

And there were a lot of great ideas!

Here are some of our biggest accomplishments of 2021:

  1. On our app certification side, we certified 447 app versions. This is the first year in history when we had more certifications than Deceptors (only 293). It shows that we have made real progress in cleaning up the industry, and we believe that this is something worth celebrating! We are thankful to all our customers who committed to certifying their apps and helping us clean the Internet.
  2. We made sure our customers were prepared for the release of ACR-008 in November 2021. The intent of this ACR is that consumers can find the free options in the application software as easily as they can find the purchase option. So, if the software offers free fixes, they need to be of the same quality as those in the paid version and should not be difficult or tedious to obtain.
  3. In our Insiders’ calls this year, we also discussed restricting your certified apps to a certified-only certificate. It is important to never distribute non-certified versions of an app signed with the same certificate because many AV’s trust our certified apps list and we want to make their work easier. Make sure to only distribute what is on our certified list in order to avoid confusion from AV’s.
  4. On a slightly different topic, we designed our own Internet Safety Portal (Internet Safety Portal (blur.live)) for our browser extension Blur.live (live). It includes useful information such as the number of ads any website has, information about Deceptor apps, and our very own Internet Safety Blog. In the next year, we are hoping to add more features to our blog to make it more shareable and interactive with our readers. For now, you can follow us on Twitter and Facebook and stay tuned for updates about our blog.
  5. We were also getting pretty fed up with all the clutter that comes up when we use a search engine to browse the web, so we decided to create our own, clean search engine instead - Browse.live (https://browse.live/). We really don’t like the idea of our search histories being used against us by big-brand search companies to target us with advertisements and exploit us. We know that most people feel the same way, which is why we are now on a mission to reduce Internet pollution on a global level and help provide people with a cleaner and more private Internet. We know this won’t be easy, but we are up to the challenge and believe that once people experience this new clean way of browsing, they won’t be able to go back. This is our biggest aspiration for 2022 and we hope that you will take part in it and make the next year safer for everyone, both in-person and on the web.

Wow, what a year! We sincerely hope you all are staying safe and healthy and wish you all a wonderful and productive year ahead!

Our fifth year: the longest one ever

While our office remains empty and we're confined to our homes, our spirits are high, because we made it all the way to our fifth birthday!

The big idea we had when we started was that software monetizers could actually thrive in a cleaner, consumer-respecting world. The formula was simple: they'd promise to be good, we'd certify their apps, and we'd work to educate the anti-malware ecosystem about the differences between the good and the bad players.

We were so naïve.

But in spite of our inability to look at the world through anything but rose-colored-lenses, we all worked together and accomplished something big. The Windows and MacOS apps are in such a better place now. Unwanted software is mostly gone: the good apps thrive, the bad apps get whacked, and the industry has found a way to work together to protect consumers.

We made an impact that we only dreamed of achieving.

We're not done, though. Browser extensions and mobile apps still have large numbers of unscrupulous vendors taking advantage of consumers. We think this is because the platform stores are still more focused on growth than they are on protecting consumers, and they've found effective ways to keep both the AVs and companies like AppEsteem at bay. (Shame on them.) We're still trying to crack this nut.

But we feel great at what's been accomplished. And we owe a huge debt to the AVs and our customers for not only taking a chance on us, but also for continually working to make this software space cleaner every year. Thank you!

We've learned so much in the process, too. Some of the learnings were painful lessons. Here's six of our critical success factors:

  1. Many of the early "supporters" (both vendors and AVs) weren't interested in solving the problem. They wanted to give lip service while they prolonged their cheating ways. Thankfully these bad vendors have shut down or moved out of this space, and the insincere AVs have mostly become irrelevant, but we had to learn how to stop wasting time on insincere supporters.
  2. Few vendors wanted our certification service (even when we offered it for free) until we had a robust method of reporting Deceptors. We had to balance our carrots and sticks.
  3.  The AVs were very happy with our Deceptor feed, but our big breakthrough on stopping their flags on certified apps came when we started testing them. We had to find how to leverage the existing momentum of our partners.
  4. It took us time to realize that AVs are also software monetizers, and many times their sales, marketing, and product managers break the ACRs (and their own policies) they enforce on others. Keeping everybody aligned and the hypocrisy at bay was a difficult task to master.
  5. Staying in sync with a robust vendor association like CleanApps.org helped keep us focused on what matters to software vendors (and not just to their supply chain). We learned how to operationalize how we figured out what our customers really needed.
  6. Having our own app (check out Blur.live!) has taught our entire team so much about what our customers go through as they build and distribute their apps. We should have done this earlier.

 

And then we turned four...

We've abandoned our office and fled to our homes. We're washing our hands, searching for online delivery services, and wiping down the incoming packages. We're figuring out how to spend all day on Teams and Zoom and Skype and Hangouts without getting massive backaches. And with all this chaos, we're taking a moment to celebrate our fourth birthday.

Back in 2016, who ever thought a tiny self-funded startup would be able to drive such a big impact in the quality of consumer apps? But we figured it out, and consumers everywhere are safer, thanks to the combined efforts of the vendors who make the certified apps and the AVs who protect consumers from unwanted software. Thank you so much for working with us to improve the computing experience of billions of consumers around the world.

Over the past year we also rolled out our very own browser extension. Blur.live automatically blurs ads as well as deceptive search results. Please check it out here -- we hope you'll fall in love with it.

Like the rest of the world, we've been thinking a lot about how this crazy coronavirus will impact our company's future. If you had asked us two months ago, we would have said that we thought we were almost done with the fight against Windows-based Deceptors. But then this virus went global, and many people went from their workplaces and schools to spend time at home... in front of their computers... without getting computer support from their nephews, neighbors, and the local computer store. The bad guys woke up; Deceptors that once had gone away rose up like zombies; and many apps and services were offered by emboldened and unscrupulous affiliates. Suddenly consumers were getting tricked and cheated and scared like it was early 2016. We realized that the best way we could help the world cope with its biological virus was to double down on our Deceptor hunting and increase our monitoring of the apps that we certify. We've made these priority adjustments, and we think that together with the vendors and the AVs, we'll quickly get this industry back on track.

And while we're cleaning up the software monetization space, we'll also increase distribution of Blur.live so we can help keep more consumers safe. By the time we turn five, we'll have an Android version available. We'll work hard to keep you, and all the other consumers around the world, safe from unwanted and deceptive software.

And maybe, just maybe, we'll get to see our offices again. Can't wait for that day!

 

AppEsteem update at the CleanApps.org summit

Yesterday in Las Vegas we had the opportunity to present an update to the members and guests of CleanApps.org. I've attached a PDF version of the deck here so you can see what we're proud of, what we've done, and what we're going to focus on for 2020.

Three items are worth calling out:

  1. Our UwS Handling Certification Test has really helped to streamline our certification business and increase AV usage of our feeds. You can check out the final results of last year's test in the deck, or play with a year's worth of data here.
  2. We have a short list of trends that we're keeping an eye on, as decisions made could affect both our and our customers' business. These are listed toward the end of the presentation (look for the slide with binoculars).
  3. One of the benefits of our streamlined certification service is that our customers have been able to focus more time on making their apps more valuable. We believe that true consumer value is the most important ingredient of a clean and compliant app. We are happy that our customers are proud of the apps that they offer consumers... this is a huge step forward in the maturity of the software monetization industry.

We also included a few slides on our browser safety extension: Blur.live. If you're not using it yet, please take a look and see if the way we blur deceptive search results and ads helps improve your own internet vision!

Copyright © 2022 - Design by FS