AppEsteem Blog

Why Certified apps sometimes get detected

Antimalware products detect vendor-developed applications for a variety of reasons, usually revolving around their belief that the app is cheating, scaring, or tricking the consumer.

We offer vendor-developed apps a certification service so that a vendor can develop a consumer-respecting app, knowing they won’t be surprised by a detection. Our certification service verifies the app’s behavior, as well as the behavior of its ads, how it distributes, and its purchase, support, and call center methods. We offer a comprehensive, evolving checklist of Application Certification Requirements to help our customers stay compliant. These requirements have been thoroughly vetted over the past six years with many security companies.

Each security company releasing antimalware products maintains their own criteria for detecting vendor-developed applications. Usually these criteria align with our requirements, but sometimes we have differences. We strive to understand these differences by working with the security companies, so we can tell vendors how ensure their apps remain consumer-respecting and not detected.

One way we try to keep in sync with the security companies is by running tests. Every month we produce an Unwanted Software Handling Certification Test (we call it the DeceptorFighters Test for short) Report. In this test, we measure how well various antimalware products can block and allow vendor-developed applications.

To pass the test, an antimalware product needs to get a 95% score on blocking Deceptors and allowing Certified apps. We provide free feeds of all the apps in the test, and we allow the antimalware products to dispute our scores by telling us why their policies led them to allow the Deceptor app to run, or to block the Certified app.

We’ve been running this test for over three years, and we’ve figured out that the security companies behind the antimalware products we test are at various maturity levels for how they handle Unwanted Software (UwS) and Potentially Unwanted Apps (PUA).

Below we’ve mapped these maturity levels, from most to least mature, into the reasons why an antimalware product may detect a certified app.

DeceptorFighter antimalware products: they generally provide vendors and us with the actionable reasons why they detect Certified apps. They usually have well-published and well-understood policies for vendor-developed apps. They have a large enough staff handling vendor-developed apps to keep up with incoming disputes.

Contender antimalware products: we’ve seen they are actively working to distinguish between wanted and unwanted software. They have researchers dedicated to analyzing vendor-developed applications, and they publish their criteria. They can usually explain why they detect a Certified app, and they generally respond to our queries. We believe the security companies behind them are working on getting more mature in this area, and their antimalware products will soon be DeceptorFighters.

Potentially Unfair Blocking antimalware products: we notice that they claim to be great at detecting UwS and PUA, but ether they haven’t established public criteria for doing so, or they don’t have an efficient way for vendors to dispute these detections. Most of the security companies behind these products don’t communicate well with us, either, leaving vendors in the dark as to why they’re being detected. These security companies may be rewarded for their unfair detections by falsely claiming protection, driving up their own conversions to paid products.

Significant Effort Required antimalware products: we believe that the main reason these security companies detect Certified apps is because they don’t put any focus onto UwS or PUA. They may be great at detecting malware and ransomware, but their abilities to focus on vendor-developed applications is either unfunded or immature.

To think about why a Certified app is detected by an antimalware company, just map the security company into its corresponding maturity category:

  • First, it may be that a DeceptorFighter level antimalware product has provided the app its actionable reasons for detection, and the app has decided to not implement the fixes. Note that vendors of Certified apps have committed to fix issues as they are reported by antimalware companies, so if an app is being detected for this reason, the detection usually only lasts a few days.
  • Second, it could be that a Contender level antimalware product is still evaluating the app, and it will take some time (up to a few weeks) for them to clear it before they stop detecting it.
  • Third, a Potentially Unfair Blocking level antimalware product may be monetizing its detection, or they may have made a conscious decision to ignore disputes from vendors. Note that most of these vendors are small, with limited consumer market share.
  • Fourth, a Significant Effort Required antimalware product might have automation-level detection, with nobody monitoring the results.

We suggest that our customers focus on ensuring their Certified apps have no detections by DeceptorFighters and Contenders, because these security companies are mature enough to not only have well-understood policies, but also to have the staff in place to handle vendor disputes. Fortunately, the antimalware companies in these two categories make up the vast majority of the consumer market share.

Here’s a list of antimalware products that remained either DeceporFighters or Contenders for the entirety of last year (see the 2021 report here):

Meanwhile, we continue to try to work with all security companies. Our Deceptor and Certified feeds, as well as our ACRs, are available free of charge for security companies to use as they work to increase their own maturity levels in how they handle vendor-developed apps.

 

Deceptors wish we’d stop calling them out

Today CSA released a document containing a collection of vendor opinions about our Deceptor program. It seems several vendors took the time to add their thoughts, and we believe their views will be helpful as we keep improving our efforts to prevent consumers from getting infected by deceptive, harmful, and unwanted software.

Our take: we’re encouraged by the apparent effectiveness of our Deceptor program. The document is a great example of how the software monetization industry has been impacted by our work, and that there is now a strong sense of urgency in the industry to clean up. We understand that the process is disruptive, but we believe this approach results in better-protected and better-respected consumers.

Reading CSA’s document got us reflecting on those who have hijacked the software monetization industry and messed it up for the honest vendors. Just like we don’t want them to succeed, it seems these organizations want our Deceptor program to fail. We think this would be a real shame for consumers.

Running this Deceptor program is tough. It’s not easy to strike a balance between disrupting bad actors and encouraging honest vendors. We’ll scour the vendor comments in CSA’s document for new ideas we can use to get it right. We’ll continue to engage with and take input from our security partners, vendors, and consumer representatives. We’ll find ways to get regular input from vendors committed to doing it right. And we’ll try to make every decision based on what is best for consumers, even when these decisions are unpopular with the monetization industry.

While we’re happy that CSA’s document confirms that the Deceptor program works, we do understand that there are vendors out there who do want to treat consumers with respect, and who are shocked, offended, and even ashamed when they discover their app has landed on our Deceptor list.

If you’re a vendor who’s gotten entangled in an industry that spent the past decade telling you that your primary focus should be performance marketing instead of bringing your unique value to consumers, we want to get you back on track with as little fuss and as much help as possible. We have some great (and mostly free) services for you to consider:

  1. FREE: We’ll answer your questions and help you get your app off our Deceptor list.
  2. FREE: We’ll let you know (with up to 30 days’ notice) about Deceptor violations if you register your app to our Deceptor notification service.
  3. FREE: We’ll certify your app so you can show the world your app is safe and it respects consumers.
  4. PAID: We offer value-added subscription services like unlimited compliance consulting for your app, “insiders” access to requirements changes and industry trends, embedded electronic seals for your certified app, and assistance figuring out what to do when our security partners flag your certified app.

But we also want to be clear: if you think it’s fine to treat consumers as exploitable targets for deceptive and aggressive software, we totally understand your desire for us to leave you alone. We strongly suggest you either get on board or find something else to do with your time, as we’re going to continue to tune our Deceptor program to find even more effective ways to disrupt your ability to hurt consumers.

Good guys and bad guys, but don't forget it's our birthday

Today is AppEsteem’s second birthday. To celebrate, I spent yesterday afternoon on the witness stand in a federal courtroom in Austin Texas, advocating for one of our customers. I explained to the judge that we work so hard to punish bad guys and reward good guys because we’re convinced this is the only way consumers can be protected from unwanted software.

I told the judge that there are plenty of bad guys building unwanted software in the software monetization space. He could look at our Deceptor list and find many examples of apps and bundlers cheating, tricking, and unpleasantly surprising consumers in their quest to gain market share. 

But I also told him that the good guys aren't just the AVs; good guys are also building apps, and not everybody on our Deceptor list remains a bad guy. Some companies, when we point out their mistakes, fix their app’s issues and ask us to remove it from our list. Some of these companies take another courageous step and choose to certify their apps, showing the world that they are committed to building apps that respect consumers, and that they are good guys.

I explained that we love it when companies reach this level of commitment, and we work hard to help their certified apps thrive. Because this is our grand experiment: if we can identify the clean apps made by the good guys, our security partners can fight that much better against the bad guys, and we’ll end up in a better world where consumers don’t have to worry about that the apps they install will hurt, trick, or cheat them. 

We don’t yet know how the judge will rule. I hope he can find a way to help certified apps thrive without weakening the regulations that allow security companies to protect consumers.

Today I’m back in the office, and I’m reflecting on the last two years. We have over sixty apps that have made it through what can be a grueling certification process, and we have at least that many more in our certification pipeline. We’ve called out almost four hundred Deceptor apps and services, and we’ve been thrilled that this approach has been super-effective at driving change in both the vendors and the AVs. We’ve adjusted our business model, and last month we got the best second birthday present we could have imagined: our monthly billings exceeded our monthly expenses, and we reached break-even.

It hasn’t been easy, though. Getting the software monetization industry to try a new approach has sometimes felt impossible. Even two years later, we still are dealing with trust issues with a couple of the AVs. We haven’t figured out a productive relationship with the Clean Software Alliance. Some app companies remain on the sidelines, wondering if we’re going to survive. We’re still struggling to raise urgency with the browsers and search platforms so they’ll take action against Deceptor browser extensions, and we haven’t yet solved how we’re going to be able to drive change against Deceptor affiliate networks.

But now we’ve proven our business is viable, we know every challenge is surmountable. Our cause is righteous, and it’s also desperately needed. Consumer-hurting apps must disappear, and the bad guys who make and distribute them need to either change their ways or find a different line of work. 

If you’re still sitting on the sidelines, come and join us! It’s time to show the world that you’re committed to consumer protection and clean apps. Just like yesterday when we supported a good guy’s certified app in court, we’ll work as hard as we can to help certified apps thrive. We’ve proven that we won’t crumble under the pressure, and we promise that we won’t relent in our fight to protect consumers by stopping the bad guys and driving better behavior.

Nice confirmation of our plans... thanks Fortune, Google, and NYU!

Fortune published an article last week titled This Software Is So Sleazy, Google Calls It Ooze.  It refers to this blog entry by Google, which summarizes the results of a study by Google and NYU researchers that lays out some of the worst parts of the software monetization industry.

The article tells how consumers end up being deceived and bamboozled into downloading software they don’t want or need. It describes how the current system of incentives is encouraging bad behavior, rewarding fraudsters, and harming consumers. And it notes the need for solutions.  “One of the primary outcomes of this research is, we hope, to raise awareness from the research community at large,” says a Google researcher, “and to focus more on techniques to help protect users.”

We at AppEsteem couldn’t agree more.  Our entire business is dedicated to offering a solution to all this “ooze” -- one that will help the industry get clean and thrive, so consumers can live in a world where they no longer need to fear installing or using apps.

Check out our plan to find out more!

Copyright © 2022 - Design by FS