Woo-hoo! We're awfully proud to announce that today we've published our Application Certification Requirements.
The requirements revolve around three key principles:
- Consumers must consent to what happens on their computers
- Consumers must never feel tricked or unpleasantly surprised when they install an app
- Consumers must never feel cheated when they pay for an app
If you build apps, you can use these requirements to ensure you meet these principles. And please consider getting your app certified and sealed by us, so our security partners will automatically know your app is clean.
If you keep consumers safe from bad apps, you can use these requirements to help you determine if an app should be allowed to be advertised, offered, installed, or run. Better yet, sign up with us, and you'll be able to trust our seals and save yourself a lot of time and effort.
Our requirements are intended to be comprehensive and serve as a single source of what apps need to do to be considered clean. But although we believe these are the most comprehensive requirements available, we also recognize they will change as we and our partners and customers fight against unwanted and fraudulent behavior. We’ll work with the industry to keep these requirements up to date and relevant.
We have put six months of effort into these requirements. Here's what we went through:
- We identified the various components of an app that we believed needed certifying: traffic to the app, offers about the app, ads in and injected by the app, the installation process, how the app runs, and the uninstallation process.
- We identified the “intent” we were trying to achieve for each component.
- We came up with a naming scheme to track the “scope” of each requirement and a syntax of how we wanted the requirements to read
- We used our knowledge from the industry to capture a first draft of the requirements.
- We researched and cross-validated many related guidelines and detection criteria from across the industry to be sure we captured the needs of as many security and platform partners as possible and that these requirements were comprehensive. Some of the sources included the CSA guidelines; Microsoft’s MMPC Objective Criteria and Bing advertising policies; Google’s Unwanted Software, Adsense, Adwords, Chrome Extensions, and Specific Policies; and the FTC’s dot com guidance.
- We reviewed our proposed requirements with security and platform partners, software vendors, and industry experts.
- We "tested" the requirements on our pilot customers.
- We added a detailed explanation to each requirement to better explain our intent.
- We experimented with the best way to share these requirements. This wasn't easy: we tried documents and spreadsheets, and in the end decided that the best way would be an online form.
We used a Creative Commons license to make it easy for you to use them. We'd love to see these requirements become the standard that the world uses to tell whether an app is clean.
Fortune published an article last week titled This Software Is So Sleazy, Google Calls It Ooze. It refers to this blog entry by Google, which summarizes the results of a study by Google and NYU researchers that lays out some of the worst parts of the software monetization industry.
The article tells how consumers end up being deceived and bamboozled into downloading software they don’t want or need. It describes how the current system of incentives is encouraging bad behavior, rewarding fraudsters, and harming consumers. And it notes the need for solutions. “One of the primary outcomes of this research is, we hope, to raise awareness from the research community at large,” says a Google researcher, “and to focus more on techniques to help protect users.”
We at AppEsteem couldn’t agree more. Our entire business is dedicated to offering a solution to all this “ooze” -- one that will help the industry get clean and thrive, so consumers can live in a world where they no longer need to fear installing or using apps.
Check out our plan to find out more!
This week David Finn and I attended Affiliate Summit East in New York City. We met with prospective customers, secured commitments to participate in our pilot program, and spent time listening to what else AppEsteem could do to help clean up the software monetization ecosystem. It was great - we have more demand to join our pilot program than we can handle, and we have a better understanding of additional benefits we can offer our customers to help make the "safe" ecosystem financially rewarding.
Armed with this knowledge, our team updated the original plan Hong and I put in place back in April.
One hundred days later, our plan's got a lot more detail. We've made adjustments and worked on explaining our intentions more clearly. You can find the latest version (August 2016) at this link: Vision and Plan.
Our vision is simple, and I hope it resonates for you: Consumers have nothing to fear when installing and using free apps on their computing devices. We have a great plan to help make this happen, and we'd love to hear what you think about it. Please send me an email ([email protected]) if you have ideas for improving or correcting it.
-- Dennis and the amazing AppEsteem team
BTW: As you might imagine, some of us were concerned with putting our plans online. Would that drive others to compete with us? Would our security partners look for ways to outflank us? Would the bad guys be armed enough to thwart our attempts to drive them off consumers' machines?
All great questions. And in the end, we decided that if others could help meet our vision by competing with us, we'd welcome them. We want this ecosystem cleaned up in a way that lets the good players thrive, and we believe the best path to get there is if our future partners and customers find us and our plans credible. So we're sharing as openly and transparently as possible in the hopes that together we'll get it done that much faster.
Today at Microsoft's MSRA conference, AppEsteem is announcing that we're finally ready to onboard security partners. It's a great deal: we provide free access to the information they need to protect their customers from PUA, and in return they commit to working with us as they "nudge" our sealed customers back into compliance.
Today we're giving both a review of where we are with our beta/pilot, the learnings and pivots we've made, and our request for support. Here's the deck we're presenting: MSRA security partner pilot review.pdf (1.16 mb)
So far we've gotten lots of positive response from the AVs and browser security teams. They've helped us craft solid guidelines, and provided great feedback on the right technology to use. We're looking forward to a great partnership!
If you're a security partner, a software vendor, or a compliance officer, please come register at our site: http://appesteem.com --> REGISTER.
(I'm amazed at how far we've come in just three months. Our dev/research team is now 12 strong; we've got a great slate of early customers, and supportive security partners. I can't wait for the day when the software monetization industry is clean and thriving!)
Today we formally announced AppEsteem at the CSA Summit being held at Google in Mountain View. We asked for customers to join our Beta, and we announced that both Tightrope Interactive and RedBrick have agreed to build sealed installers and download managers for the Beta.
I'm incredibly proud of how far we've come in just two months: we've got AVs and platforms agree to be security partners, and we've gotten good vibes from CSA about how they could rely on our seal to help build a safer, sealed ecosystem.
But as you'll see in my deck posted here, we have a lot to do between now and the end of July in order to pull this off. We'll be working hard, and counting on support from our partners and future customers to make this happen.
(Yshey from ESET asked for a pic of him, Oshrit, and me... he said Daniel really wanted it :-)
Last night, Dan Shiff from Upclick, Oshrit Aviv from Entero, and I spoke at the e-commerce meetup Tel Aviv. Our three companies offer services to software monetization partners: payments, compliance/strategy, and certifications, so our presentations flowed together nicely.
Oshrit said that I should tell the story of why I care so much about getting the bad guys out of the software monetization space. She said it may inspire more people in the industry to gain the courage it's going to take. And she suggested that since everybody in this industry has known me as "Dennis from Microsoft," that maybe I could explain why I left. That made sense to me, so I prepared the talk, and this was the result... I hope you like it!
(And if you're in this space, I hope you're inspired to get your app/installer sealed!)
Here we are after the talk... thanks to Itai P. for letting us join his meetup, and to Klarna for hosting us!
In a few hours I will speak to the CARO attendees here in Bucharest, Romania. I'm asking them to support the creation of the safe haven of a clean and sealed app marketplace. You can see the deck here: Destroying unwanted software together.pdf
AppEsteem is offering anti-malware vendors a great value proposition: it's difficult to keep up with the classifications of the software monetization applications, because there are too many bad apples in the bunch. Making it easy for them to know the difference between vendors who have pledged to be clean and those who haven't, and providing them data and support when there are questions, helps the anti-malware vendors provide more value to their customers. Plus it allows them to get even more strict on the dirty players in this industry.
We'll see how it goes... the talk is at 8:30 AM, after a long party night sponsored by Avira... at least it's a fun topic :-)
I was in China for the past week on a fact-finding mission to see if AppEsteem could help clean up their app ecosystem. I met with teams from Qihoo, Baidu, Microsoft, and ThreatBook to get educated. Here's what I learned:
- The large AV vendors in China (Qihoo, Tencent, and Baidu) have a robust whitelisting service for in-country apps, which they provide to apps for free. These services include company validation and app certification. So while a local Chinese app has to submit at least three times, the process already exists.
- What's considered "clean" and "unwanted" is different in China than the rest of the world. Many apps trusted by Chinese AV vendors would not pass muster with non-Chinese AVs. Which means that vendors will need help getting their apps compliant for the rest of the world.
- The mobile world works differently in China. Since Google Play isn't available through the Great Firewall, there are many Android app stores out there, each with their own approach to curation. This means that it's pretty easy to lure customers to install repackaged, fraudulent, unwanted, and malicious Android apps from app stores with not-so-hygenic practices.
There's definitely a big opportunity, and even some urgency to get it right. But doing business in China is harder than just hiring a local bus-dev person; we'd have to solve language and cultural issues too.
One thing is clear: I have to think bigger than just Windows. I was thinking that I'd tackle Android next year, but now I'm going to spin up some additional research so I know how a sealed APK would work.
So it will take some time to figure out the right approach, and we'll have to find some great local partners to pull it off. I'd like to get something set up by early next year; in the meantime I'll stay focused on getting the Windows beta up and running.
Today I had the privilege of presenting AppEsteem's plans at the SERENE-RISC Spring 2016 Workshop in Vancouver, BC.
SERENE-RISC's goal is to improve the general public's awareness of cybersecurity risks and to empower all to reduce those risks through knowledge. This seemed like the perfect place to talk about how AppEsteem is going to help fix the software monetization industry.
Here's the presentation: Saving the software industry from itself.pdf (2.30 mb). The talk seemed well-received :-)
Next step: get the technology side demo-able in time for CARO on 20 May :-)
Welcome to AppEsteem. We're going to work like crazy to help the software monetization world work safely... and hopefully have a lot of fun with you as we do it.
We can't wait to explain more! But we have to figure it all out, and get ourselves organized, and that will take a little time.
In the meantime, you'll be able to here more about AppEsteem as we present at the following security and monetization industry events:
- Serene Risc in Vancouver, BC on 27 April 2016
- CARO 2016 in Bucharest, Romania on 20 May 2016
- TLV Software Meetup in Tel Aviv, Israel on 8 June 2016
- Clean Software Alliance meeting in Mountain View, CA on 16 June 2016