AppEsteem Blog

Learn more about what's happening at AppEsteem

A vibrant security ecosystem *can* work

Last week, AppEsteem was mentioned in several news articles reporting on the VPN apps we listed as Deceptors. We listed them after our research showed these apps automatically installing self-signed trusted root certificates without informed user consent for the risk that this introduced.

Here’s some links to the news articles: one on techradar and one on cnet.

We are already seeing progress from some of these VPN apps to fix these Deceptor-level issues. Some of the apps now obtain informed consent; other apps are moving away from introducing this security risk. Both approaches bring a better, safer experience to consumers of VPN apps.

Driving change across an industry isn’t easy: the reason this worked is because of a vibrant security ecosystem:

  • Our AV partners use our research and feeds and usually detect/block active Deceptors and allow Certified apps. This is a direct way to let vendors know when they need to change, as it affects their ability to keep their apps on a consumer’s device.
  • Security articles in the media bring attention, encourage more AVs to use our research and feeds, and send a message to the vendor’s employees and investors that their app needs immediate attention.

We are excited by these developments and are looking forward to continuing to work with VPNs and other apps to help facilitate a safer online environment. We love how the security industry can work together to improve consumer safety!

 

Why Certified apps sometimes get detected

Antimalware products detect vendor-developed applications for a variety of reasons, usually revolving around their belief that the app is cheating, scaring, or tricking the consumer.

We offer vendor-developed apps a certification service so that a vendor can develop a consumer-respecting app, knowing they won’t be surprised by a detection. Our certification service verifies the app’s behavior, as well as the behavior of its ads, how it distributes, and its purchase, support, and call center methods. We offer a comprehensive, evolving checklist of Application Certification Requirements to help our customers stay compliant. These requirements have been thoroughly vetted over the past six years with many security companies.

Each security company releasing antimalware products maintains their own criteria for detecting vendor-developed applications. Usually these criteria align with our requirements, but sometimes we have differences. We strive to understand these differences by working with the security companies, so we can tell vendors how ensure their apps remain consumer-respecting and not detected.

One way we try to keep in sync with the security companies is by running tests. Every month we produce an Unwanted Software Handling Certification Test (we call it the DeceptorFighters Test for short) Report. In this test, we measure how well various antimalware products can block and allow vendor-developed applications.

To pass the test, an antimalware product needs to get a 95% score on blocking Deceptors and allowing Certified apps. We provide free feeds of all the apps in the test, and we allow the antimalware products to dispute our scores by telling us why their policies led them to allow the Deceptor app to run, or to block the Certified app.

We’ve been running this test for over three years, and we’ve figured out that the security companies behind the antimalware products we test are at various maturity levels for how they handle Unwanted Software (UwS) and Potentially Unwanted Apps (PUA).

Below we’ve mapped these maturity levels, from most to least mature, into the reasons why an antimalware product may detect a certified app.

DeceptorFighter antimalware products: they generally provide vendors and us with the actionable reasons why they detect Certified apps. They usually have well-published and well-understood policies for vendor-developed apps. They have a large enough staff handling vendor-developed apps to keep up with incoming disputes.

Contender antimalware products: we’ve seen they are actively working to distinguish between wanted and unwanted software. They have researchers dedicated to analyzing vendor-developed applications, and they publish their criteria. They can usually explain why they detect a Certified app, and they generally respond to our queries. We believe the security companies behind them are working on getting more mature in this area, and their antimalware products will soon be DeceptorFighters.

Potentially Unfair Blocking antimalware products: we notice that they claim to be great at detecting UwS and PUA, but ether they haven’t established public criteria for doing so, or they don’t have an efficient way for vendors to dispute these detections. Most of the security companies behind these products don’t communicate well with us, either, leaving vendors in the dark as to why they’re being detected. These security companies may be rewarded for their unfair detections by falsely claiming protection, driving up their own conversions to paid products.

Significant Effort Required antimalware products: we believe that the main reason these security companies detect Certified apps is because they don’t put any focus onto UwS or PUA. They may be great at detecting malware and ransomware, but their abilities to focus on vendor-developed applications is either unfunded or immature.

To think about why a Certified app is detected by an antimalware company, just map the security company into its corresponding maturity category:

  • First, it may be that a DeceptorFighter level antimalware product has provided the app its actionable reasons for detection, and the app has decided to not implement the fixes. Note that vendors of Certified apps have committed to fix issues as they are reported by antimalware companies, so if an app is being detected for this reason, the detection usually only lasts a few days.
  • Second, it could be that a Contender level antimalware product is still evaluating the app, and it will take some time (up to a few weeks) for them to clear it before they stop detecting it.
  • Third, a Potentially Unfair Blocking level antimalware product may be monetizing its detection, or they may have made a conscious decision to ignore disputes from vendors. Note that most of these vendors are small, with limited consumer market share.
  • Fourth, a Significant Effort Required antimalware product might have automation-level detection, with nobody monitoring the results.

We suggest that our customers focus on ensuring their Certified apps have no detections by DeceptorFighters and Contenders, because these security companies are mature enough to not only have well-understood policies, but also to have the staff in place to handle vendor disputes. Fortunately, the antimalware companies in these two categories make up the vast majority of the consumer market share.

Here’s a list of antimalware products that remained either DeceporFighters or Contenders for the entirety of last year (see the 2021 report here):

Meanwhile, we continue to try to work with all security companies. Our Deceptor and Certified feeds, as well as our ACRs, are available free of charge for security companies to use as they work to increase their own maturity levels in how they handle vendor-developed apps.

 

2021 Year in Review

Yuliya Boldyryeva

It’s that time of year again - the time to reflect on the events of the past year and think about everything that was accomplished (or not accomplished) throughout the year.

Whether or not you were able to undertake what you wanted in 2021, this is another year that will mark history on a global scale.

2021 has brought us hope that the pandemic is close to its end, with many people being able to get vaccinated, return back to their normal working environments and finally reunite with their coworkers, friends, and family. Many realized how much they missed being able to go out and enjoy attractions such as concerts and social events, others have adapted to the post-pandemic way of living and permanently changed their lifestyles. Either way, this has been a year of change and adaptation for all.

Although not for long (due to the omicron variant), our team was thankful to go back to our AppEsteem office and see each other in person again. We have all gotten used to the convenience of working from home, but we realized that it makes a big difference physically being in the same room with the team and discussing our ideas face-to-face with each other.

And there were a lot of great ideas!

Here are some of our biggest accomplishments of 2021:

  1. On our app certification side, we certified 447 app versions. This is the first year in history when we had more certifications than Deceptors (only 293). It shows that we have made real progress in cleaning up the industry, and we believe that this is something worth celebrating! We are thankful to all our customers who committed to certifying their apps and helping us clean the Internet.
  2. We made sure our customers were prepared for the release of ACR-008 in November 2021. The intent of this ACR is that consumers can find the free options in the application software as easily as they can find the purchase option. So, if the software offers free fixes, they need to be of the same quality as those in the paid version and should not be difficult or tedious to obtain.
  3. In our Insiders’ calls this year, we also discussed restricting your certified apps to a certified-only certificate. It is important to never distribute non-certified versions of an app signed with the same certificate because many AV’s trust our certified apps list and we want to make their work easier. Make sure to only distribute what is on our certified list in order to avoid confusion from AV’s.
  4. On a slightly different topic, we designed our own Internet Safety Portal (Internet Safety Portal (blur.live)) for our browser extension Blur.live (live). It includes useful information such as the number of ads any website has, information about Deceptor apps, and our very own Internet Safety Blog. In the next year, we are hoping to add more features to our blog to make it more shareable and interactive with our readers. For now, you can follow us on Twitter and Facebook and stay tuned for updates about our blog.
  5. We were also getting pretty fed up with all the clutter that comes up when we use a search engine to browse the web, so we decided to create our own, clean search engine instead - Browse.live (https://browse.live/). We really don’t like the idea of our search histories being used against us by big-brand search companies to target us with advertisements and exploit us. We know that most people feel the same way, which is why we are now on a mission to reduce Internet pollution on a global level and help provide people with a cleaner and more private Internet. We know this won’t be easy, but we are up to the challenge and believe that once people experience this new clean way of browsing, they won’t be able to go back. This is our biggest aspiration for 2022 and we hope that you will take part in it and make the next year safer for everyone, both in-person and on the web.

Wow, what a year! We sincerely hope you all are staying safe and healthy and wish you all a wonderful and productive year ahead!

Our fifth year: the longest one ever

While our office remains empty and we're confined to our homes, our spirits are high, because we made it all the way to our fifth birthday!

The big idea we had when we started was that software monetizers could actually thrive in a cleaner, consumer-respecting world. The formula was simple: they'd promise to be good, we'd certify their apps, and we'd work to educate the anti-malware ecosystem about the differences between the good and the bad players.

We were so naïve.

But in spite of our inability to look at the world through anything but rose-colored-lenses, we all worked together and accomplished something big. The Windows and MacOS apps are in such a better place now. Unwanted software is mostly gone: the good apps thrive, the bad apps get whacked, and the industry has found a way to work together to protect consumers.

We made an impact that we only dreamed of achieving.

We're not done, though. Browser extensions and mobile apps still have large numbers of unscrupulous vendors taking advantage of consumers. We think this is because the platform stores are still more focused on growth than they are on protecting consumers, and they've found effective ways to keep both the AVs and companies like AppEsteem at bay. (Shame on them.) We're still trying to crack this nut.

But we feel great at what's been accomplished. And we owe a huge debt to the AVs and our customers for not only taking a chance on us, but also for continually working to make this software space cleaner every year. Thank you!

We've learned so much in the process, too. Some of the learnings were painful lessons. Here's six of our critical success factors:

  1. Many of the early "supporters" (both vendors and AVs) weren't interested in solving the problem. They wanted to give lip service while they prolonged their cheating ways. Thankfully these bad vendors have shut down or moved out of this space, and the insincere AVs have mostly become irrelevant, but we had to learn how to stop wasting time on insincere supporters.
  2. Few vendors wanted our certification service (even when we offered it for free) until we had a robust method of reporting Deceptors. We had to balance our carrots and sticks.
  3.  The AVs were very happy with our Deceptor feed, but our big breakthrough on stopping their flags on certified apps came when we started testing them. We had to find how to leverage the existing momentum of our partners.
  4. It took us time to realize that AVs are also software monetizers, and many times their sales, marketing, and product managers break the ACRs (and their own policies) they enforce on others. Keeping everybody aligned and the hypocrisy at bay was a difficult task to master.
  5. Staying in sync with a robust vendor association like CleanApps.org helped keep us focused on what matters to software vendors (and not just to their supply chain). We learned how to operationalize how we figured out what our customers really needed.
  6. Having our own app (check out Blur.live!) has taught our entire team so much about what our customers go through as they build and distribute their apps. We should have done this earlier.

 

And then we turned four...

We've abandoned our office and fled to our homes. We're washing our hands, searching for online delivery services, and wiping down the incoming packages. We're figuring out how to spend all day on Teams and Zoom and Skype and Hangouts without getting massive backaches. And with all this chaos, we're taking a moment to celebrate our fourth birthday.

Back in 2016, who ever thought a tiny self-funded startup would be able to drive such a big impact in the quality of consumer apps? But we figured it out, and consumers everywhere are safer, thanks to the combined efforts of the vendors who make the certified apps and the AVs who protect consumers from unwanted software. Thank you so much for working with us to improve the computing experience of billions of consumers around the world.

Over the past year we also rolled out our very own browser extension. Blur.live automatically blurs ads as well as deceptive search results. Please check it out here -- we hope you'll fall in love with it.

Like the rest of the world, we've been thinking a lot about how this crazy coronavirus will impact our company's future. If you had asked us two months ago, we would have said that we thought we were almost done with the fight against Windows-based Deceptors. But then this virus went global, and many people went from their workplaces and schools to spend time at home... in front of their computers... without getting computer support from their nephews, neighbors, and the local computer store. The bad guys woke up; Deceptors that once had gone away rose up like zombies; and many apps and services were offered by emboldened and unscrupulous affiliates. Suddenly consumers were getting tricked and cheated and scared like it was early 2016. We realized that the best way we could help the world cope with its biological virus was to double down on our Deceptor hunting and increase our monitoring of the apps that we certify. We've made these priority adjustments, and we think that together with the vendors and the AVs, we'll quickly get this industry back on track.

And while we're cleaning up the software monetization space, we'll also increase distribution of Blur.live so we can help keep more consumers safe. By the time we turn five, we'll have an Android version available. We'll work hard to keep you, and all the other consumers around the world, safe from unwanted and deceptive software.

And maybe, just maybe, we'll get to see our offices again. Can't wait for that day!

 

AppEsteem update at the CleanApps.org summit

Yesterday in Las Vegas we had the opportunity to present an update to the members and guests of CleanApps.org. I've attached a PDF version of the deck here so you can see what we're proud of, what we've done, and what we're going to focus on for 2020.

Three items are worth calling out:

  1. Our UwS Handling Certification Test has really helped to streamline our certification business and increase AV usage of our feeds. You can check out the final results of last year's test in the deck, or play with a year's worth of data here.
  2. We have a short list of trends that we're keeping an eye on, as decisions made could affect both our and our customers' business. These are listed toward the end of the presentation (look for the slide with binoculars).
  3. One of the benefits of our streamlined certification service is that our customers have been able to focus more time on making their apps more valuable. We believe that true consumer value is the most important ingredient of a clean and compliant app. We are happy that our customers are proud of the apps that they offer consumers... this is a huge step forward in the maturity of the software monetization industry.

We also included a few slides on our browser safety extension: Blur.live. If you're not using it yet, please take a look and see if the way we blur deceptive search results and ads helps improve your own internet vision!

Streamlining our services

-- Janet Attar, Customer Success Manager

Last month we turned three, and it’s time to apply what we’ve learned from our customers to our offerings. This year we are eliminating some service plans, and we’re streamlining others. We believe these changes will be better for our customers as well as our security partners.

The first change is that we no longer offer “uncommitted” subscription pricing. The pricing is much better when customers commit, and although a few customers may have started uncommitted, they all quickly switched to committed. Our offerings have simplified to these three:

  • Premium Subscription (6 month minimum). 
  • Basic Subscription (6 moth minimum).
  • Individual Review (pay per review). 

The second change is replacing our add-on App Jail services with a built-in streamlined Detection Advisories feature that’s now part of all three of our offerings. We believe that this will be a huge benefit to both our customers and our security partners.

We’ve worked hard over the past three years to build up a great understanding of what the security vendors need, and we work hard to maintain this understanding as they continue to change their own requirements. Detection Advisories are what we’ll provide as part of each app review when we notice any “beyond certification” requirements that we already know will cause security vendors to block it. 

This new approach gives our customers valuable, proactive guidance. It also reduces the load on our security partners, as we will not request them to consider removing detections when we know that the app has outstanding Detection Advisories. In cases where a certified app is blocked after all Detection Advisories have been resolved, we will continue to work with our customers and our security partners to discover new actionable reasons.

Making Detection Advisories built into our three offerings makes it easier for us to provide reliable advice and get consistent answers back from the security vendors. We’ve adjusted our pricing to reflect this change for any new app submitted, and existing customer apps will be switched to the new pricing on July 1st.

Prescriptive guidance for affiliate and download sites

This post gives some prescriptive guidance to our policy updates, and explains our Deceptor listing policy, for affiliates, download sites, and the affiliated apps.

If your affiliate site offers downloaded apps:

  1. Only do direct downloads from offers. The difference between an offer and an ad? An offer says it's an offer, and it has links to the app's (not your site's) EULA and Privacy Policy. An offer has a value proposition, and makes it clear that it's optional. Ads must redirect the consumer to a landing page (which is an offer).
  2. Make it clear that you are an affiliate of the app you are promoting, and not the maker of the app.

If your affiliate site provides removal instructions for malware, spyware, adware, Deceptors, or other "threats", and also offers an app:

  1. Do not claim that the app will remove the threat, unless you back up that claim with evidence.
  2. Get specific in your descriptions of the threat. Screen shots from the threat, actions the threat takes on the consumer machine, references to landing pages and makers, are all great ways to get specific. Making only generic or only "maybe" statements that can be found on many pages are not good ways to be specific.

If your site is a download site:

  1. Make sure you have permission to store/download the apps. If you don't have permission, point the consumer to app's landing page.
  2. If you are going to install a download manager and not the app, be clear about this, and don't mislead the consumer into thinking they are getting just the app's official installer.
  3. Make sure the ads you display don't masquerade as your "download" button. Use ad policies and ad network settings to control the content (for example, AdSense policies can block sensitive ads), and monitor your site to keep it compliant. If you cannot control the ad content, do not place the ads close to your download buttons.

Our policy for Deceptor listing:

  1. If an affiliate or download site comes to us with questions and we find violations, and if they commit to work in good faith with us, we'll generally give them two weeks to make their changes.
  2. When we hunt and find a violating affiliate or download site, we will generally list the site as an active Deceptor. The site owner can work with us to clear it (see below).
    1. If the affiliate app or download manager has directed their affiliate network to require our approval, we will work with the affiliate network.
    2. If the affiliated app or download manager is working with us to get certified, we will warn them.
    3. If neither of the cases apply, we will list the affiliated app or download manager as an active Deceptor, following our supply chain accountability policy.

You can find all our requirements, more prescriptive guidance, and some examples of good and violating behavior at our checklist page.

Your affiliate network or affiliated app may require our approval before you're authorized to offer some apps. Just let us know, and we're happy to give you feedback. Please note, though, that we expect that you'll work in good faith with us to fix all your sites.

If we have called out your site or affiliated app/download manager as an active Deceptor, we'll work with you, for free, to answer your questions, and to re-evaluate it and hopefully get it off our active Deceptor list. Just read our faq, then email us at [email protected] when you're ready.

 

Happy Third Birthday, AppEsteem!

It's been three years since we started this company and its proposition to help software monetizers thrive by building a self-regulation system.

It's been quite the journey. We spent the first year working through our requirements and building trust with both the security companies and the monetizers. We spent the second year operationalizing our workflow, introducing our Deceptor list, scaling out our business.

This third year has been a solidifying year for AppEsteem. We experimented with new ways to encourage companies to work with us, and we came up with new and improved value propositions. We moved our non-profit alignment from CSA to CleanApps.org. We started certifying anti-malware products and designating them as Deceptor Fighters. We ran several campaigns to help drive needed change, including one that prevents system utilities from abusing free scans results, and another that cleans up badly-behaving affiliates. And we certified three more call centers.

We're very proud of the positive impact we've made for consumers. We know they're in a much better place as they download apps for their PCs. The hundreds of apps we've certified, and the hundreds of apps that have successfully cleaned up after being called out as Deceptors, have helped transform the software monetization world into a kinder and gentler place.

But we're not done. We still see consumer abuse in call centers, download sites, and through rogue affiliates. Sometimes our customers don't act in good faith. And while Windows downloads are now much cleaner, MacOS has gotten noticeably worse, browser extensions and Android apps need more help, and we haven't figured out how to keep Apple and Google paying attention. We need to work on all these problems in our fourth year.

And there's more we're working on. We will soon release Blur, our browser extension that will help consumers "look ahead" and be warned if an ad or a search result will take them to an unsafe site. And we're tinkering with a Most Valuable App program that goes beyond measuring compliance and starts to look at an app's value to consumers.

All of the progress we've made only works because of three things: software monetizers who are committed to building consumer-respecting apps, security partners dedicated to rewarding them while still punishing the unwanted, deceptive vendors, and dedicated employees and partners who work like crazy to make it all happen. Thank you so much for your support!

Policy Updates for Deceptive Affiliate and Download Websites

Since last October, we've been calling out affiliate websites as Deceptors when we observed them making unsubstantiated claims, or when they auto-downloaded apps without presenting the consumer a valid offer.

This has led to good changes on many affiliate sites. Consumers don't have to read untrue statements, and they now get a chance to accept an app before it shows up on their machine.

But although these changes have been helpful, we still observe the following unwanted behaviors on affiliate sites:

  1. Vague and non-specific claims that have the intent to deceive consumers. An example of these kinds of generic claims are found on "how to remove" affiliate sites that offer malware and spyware removal tools. We think that sites making generic claims know they are scaring consumers into downloading the offered apps.
  2. Download sites that purposely allow confusing "start" and "download" ads and offers to surround the actual download button. We think these ads and offers are masquerading as the button the consumer wants to click, and the download site knows they are tricking the consumer into getting an unwanted download.
  3. Download sites that offer an app, but when the consumer accepts the offer, they get a "download manager" that first makes more offers to them. We think the consumer must only get the app that they accepted; if the download site wants the consumer to run their download manager, they must offer it to the consumer, and the consumer must accept that offer, before it's downloaded.

When we find a deceptive affiliate or download site, we'll consider both the site and the affiliated apps as Deceptors. We spent the past two months aligning this policy change with our security partners, and we're looking forward to implementing them later this month.