AppEsteem Blog

Learn more about what's happening at AppEsteem

Security-reducing apps: a call to action

(Hong Jia and Dennis Batchelder)

We think that many AVs need to update their (potentially) unwanted software policies to make sure they can block apps that reduce security without first obtaining informed user consent. We gave a talk yesterday at AVAR 2022 in Singapore to make our case, show which AVs are currently struggling with protecting their customers against these apps, and ask them to update their policies so their customers can be better protected.

You can see the slides we used for the presentation here.

This was our abstract:

As Avs get better operationalized in their fight against unwanted software (UwS), their combined pressure is driving the software monetization industry toward finding the gaps in AV policies so they can continue to exploit consumers for easy money.

The big gap in AV policies these days, unfortunately, is around apps that make their computers more vulnerable to attacks. The result? A proliferation of apps that needlessly reduce their customers’ security postures and set them up for future attacks, without first obtaining informed user consent. Examples of these apps include VPNs that install self-signed trusted root certificates and free apps that monetize by installing proxies that share their internet connection and processor.

Lately these security-reducing apps that don’t obtain informed consent are grabbing public attention: articles about them are popping up in both security blogs and computer industry news. Some platforms and AVs are beginning to respond – they detect after others have called them out. But the platforms and AVs have been slow to update their policies, and slow to detect these apps as UwS, which leaves a gap that software monetizers continue to exploit.

Our session will show examples of how these apps reduce their customers’ security postures. We will highlight the platform and AV public policy gaps that have led to the spread of them. We’ll make suggestions as to how Avs can enhance their policies to better protect their customers from these apps.

Build, Measure, Learn, Improve (our Deceptor Program)

(Dennis Batchelder and Hong Jia)

Today we were at Google’s Mountain View campus attending the Clean Software Summit, and Dennis presented the results of a study we conducted on our Deceptor program. By analyzing the data from the past year, we had four important findings:

  1. The AVs are doing a great job detecting the active Deceptors on our list, which in turn protects consumers.
  2. Merely informing apps when they violate Deceptor requirements is not effective at protecting consumers
  3. A low percentage of active Deceptors (less than 8%) eventually become paying customers
  4. We’ve identified additional ways we can make our operations transparent with the app vendor community

You can find more details in our presentation – we hope you find the data and findings as fascinating as we did!

 Note that in the deck, we also announced we’re taking four immediate actions:

  • Formalize AV Relationship: To showcase AV effectiveness even more, we’re going to align with the AV-driven initiative to formally ratify our Deceptor and Certification requirements. We believe this will make the Deceptor program even more effective at protecting consumers, and at the same time reduce the false positive detections of certified apps
  • Require Registration: Because of the proven ineffectiveness of merely informing apps of their violations, we will provide notifications to apps that violate our Deceptor requirements only if those apps have previously registered for notifications with us
  • Increase Transparency: To give app vendors assurance that we operate fairly, we’re providing insight and input to CleanApps.org, an app vendor-based non-profit organization
  • Provide Opportunities: We’re actively seeking monetization opportunities that certified apps can benefit from. A great example is BlackSwan’s EverCore program, which manages its risk by requiring all offers, carriers, and call centers to be certified by us

Finally, we gave a heads-up about a big upcoming Deceptor campaign; if you're an app vendor, it's worth checking this out.

Just a reminder: it’s free to register with us, and free to get your app certified. You can sign up at https://appesteem.com, or email us at [email protected]

Here's a pic from my presentation... 

 

 

Finally some carrots for clean monetizers!

Today we gave a talk during ASW in Las Vegas, where we presented updates to our Deceptor program, made a pitch for our premium services, and showed some cool monetization opportunities from our partners.

That last piece: the "cool monetization opportunities," is very exciting for us. For a while now we've harped on how our Deceptor program will drive urgency for apps to clean up, but now we're also able to demonstrate some clear wins for clean monetizers.

Both of these monetization opportunities are relying on us to help them get the compliance right. And both of these opportunities will lead to a better and safer world for consumers. We hope both Chip.de and Blackswan Ventures' EverCore programs will flourish.

Here's a picture of our customers/partner panel talking about the value of our premium service. Thanks David for leading this, and to Amir (Blackswan), Paul (AbeApps), Kyle (SafeBytes), and Bogdan (PC Drivers HQ) for showing their partners and competitors how AppEsteem is helping certified apps to thrive.

 

Busting the Barriers to Clean Behavior

(Dennis Batchelder)

(tl;dr: we removed a big barrier to getting certified or requiring certification: the fee. read on for more...)

Buenos Dias from Madrid, Spain! David, Jaimee, and I attended the Clean Software Alliance Summit, and we spent two days hearing from software monetizers, most of the major AV vendors, Google, and Microsoft about the state of the software monetization industry.

I also gave an update on changes we're making to AppEsteem to help drive faster adoption of clean practices. I've attached the presentation so you can see them for yourselves... we're super excited about these changes, and we think it's going to give many more vendors the incentive they need to get off the sidelines and make a commitment to clean behavior.

Here's the presentation.... and just as a teaser to get you to read it, here's some of the cool barrier-busters we announced:

  • Certifications are now free. If you're on a budget, or if you're happy with your compliance team, no worries: we'll evaluate your app at no cost. If it meets our requirements, we'll issue you a certification and inform the security companies that you're compliant. (wow wow wow!)
  • Software vendors who commit to following our requirements can register their apps with us, and we'll provide early notification if we happen to find violations that would land the app on our Deceptor page.
  • We've made it even easier to follow our application certification requirements with a new checklist page that provides prescriptive guidance and shows examples.

 

Helping China's software monetizers get it right

(Dennis)

As you may have seen in our Deceptor page, we've listed a number of China-based software monetizers who are distributing their apps globally.

We see an opportunity to help China's software monetizers figure out clean ways to distribute their software world-wide. Our goal is that when they want to take their products to a global market, part of their process is to get certified first. This would save them the hassle of going through a Deceptor set of detections and then cleaning up.

Therefore, we announced at the 5th China Cyber Security Conference this week that we'll be publishing our App Certification Requirements in Chinese. We'll also devote some publicity to letting China's software monetizers know that we can help them get their apps right before the launch. We're hoping that by doing this, we'll save consumers (and the software monetizers) a lot of headaches.

I've attached an excerpt of the presentation I gave at the conference. Check out the second to last slide for the Chinese vendor offer.

Here I am with Christine, my translator. Jesse Song, the conference's organizer, realized that we needed to translate Deceptor, so he worked with Hong to come up with something. I think it ended up being called "cheating software" in Chinese. We'll have to come up with another catchy logo...

AV companies: help us help you

We're very proud of the work we're doing to call out deceptive apps. It seems we've found a game changer that drives a lot of urgency in the software monetization industry and gets our security partners excited. Woo hoo!

We want even more AVs to participate, so last week in Krakow, Poland, we made a pitch to the CARO crowd on how our Deceptor feeds could save them time and increase their effectiveness. You can see the presentation here.

The talk got more AVs to agree to consume our feeds, which was great. We can't wait to call out even more deceptive apps for them to review!

 

It took us almost a year to figure it out and get it working, but now that we've seen what our Deceptor program can do, we've decided to embed it deep into our app certification operations. For instance, when we validate future vendors, we'll require that none of the apps they build, sell, distribute, white label, or monetize are Deceptors. Same with our Better World Network: our certified call centers, payment processors, and installers all will be Deceptor-free.

And what a great world it will be for consumers when the Deceptors are all gone... Thank you, AVs, for joining in and helping raise the urgency to get this problem fixed!

 

Making our pitch and spreading the word

(from Dennis)

One of the software monetizers' main conferences, Affiliate Summit West, took place this week in Las Vegas. Today AppEsteem sponsored a CSA update, given by Adam Agensky. We followed that up with a panel discussion about how our pilot has been going. And then I gave a presentation about the value we're offering, trying a new approach to make the pitch. Here's the deck in case you missed it.

The meetup went very well: standing-room only, with lots of engaged attendees. The panelists (execs from 383 Media, PC Drivers HQ, Spigot, and Lavasoft) gave a good overview of what has gone well and what they still hoped for from us. This sparked some good discussion about what other services we could provide.

We're super-excited about where we are after just nine months: our pilot is working, both our customers and security partners have engaged, and there's quite a buzz in the software monetization space about what AppEsteem is doing to help the industry. There's nothing quite as nice as hearing our customers giving rousing sales pitches for our services, and we're grateful for their support!

So you can get a feel for the event, I've attached a picture I took of the panelists. David Finn, our intrepid COO, is on the far left, then there's Paul, Bogdan, Jesse, and Daniel from the companies listed above.

 

 

Strengthening our security partners

AVAR (The Association of Anti Virus Asia Researchers) has been hosting Asia-related anti-virus conferences since 1998. Their mission is to prevent the spread of and the damage caused by malicious software, and to develop co-operative relationships among anti-malicious software experts in Asia. This year's conference took place this week in Kuala Lumpur, and the theme was "Is AV Dead?"

I certainly hope AV isn't dead :-) They need to protect consumers from malicious and unwanted software. If they don't do this, our job at AppEsteem only becomes that much more difficult.

But AVs are struggling to stop unwanted software. On top of that, most AVs are also software monetizers, and sometimes their products use sales and distribution tactics that make them look like unwanted software themselves. If AVs don't get their act together, I believe that they'll get disrupted by somebody willing to do what it takes to keep the consumer computing experience clean and safe.

My talk was titled Near-death experience: why AVs got clobbered by Unwanted Software, and how they’ll win. I discussed both of these issues, as well as what we've learned so far from our pilot. I hope AVs as well as our software vendors will find it insightful.

We love our security partners. We count on them to hold the line and keep consumers safe. AppEsteem is committed to helping them do this, because we believe that a clean world is a much better world.

One other point: we're thrilled to announce that K7 Computing, a respected Chennai-based AV company, has signed up to be our certification partner. They'll help us scale so we can keep up with the increasing amount of certification requests that we're now receiving. They've begun to dig deep into our comprehensive requirements, and we'll be heading to India next month to get them operational. Once that happens, we'll make a bigger splash, but in the meantime, here's a pic of Hong and me with the K7 crew , taken during AVAR's gala dinner at the KL Tower.

 

 

 

Security Partners: we're open for business :-)

Today at Microsoft's MSRA conference, AppEsteem is announcing that we're finally ready to onboard security partners. It's a great deal: we provide free access to the information they need to protect their customers from PUA, and in return they commit to working with us as they "nudge" our sealed customers back into compliance.

Today we're giving both a review of where we are with our beta/pilot, the learnings and pivots we've made, and our request for support. Here's the deck we're presenting: MSRA security partner pilot review.pdf (1.16 mb)

So far we've gotten lots of positive response from the AVs and browser security teams. They've helped us craft solid guidelines, and provided great feedback on the right technology to use. We're looking forward to a great partnership!

If you're a security partner, a software vendor, or a compliance officer, please come register at our site: http://appesteem.com --> REGISTER.

(I'm amazed at how far we've come in just three months. Our dev/research team is now 12 strong; we've got a great slate of early customers, and supportive security partners. I can't wait for the day when the software monetization industry is clean and thriving!)

Announcing AppEsteem at the CSA Summit

Today we formally announced AppEsteem at the CSA Summit being held at Google in Mountain View. We asked for customers to join our Beta, and we announced that both Tightrope Interactive and RedBrick have agreed to build sealed installers and download managers for the Beta.

I'm incredibly proud of how far we've come in just two months: we've got AVs and platforms agree to be security partners, and we've gotten good vibes from CSA about how they could rely on our seal to help build a safer, sealed ecosystem.

But as you'll see in my deck posted here, we have a lot to do between now and the end of July in order to pull this off. We'll be working hard, and counting on support from our partners and future customers to make this happen.

(Yshey from ESET asked for a pic of him, Oshrit, and me... he said Daniel really wanted it :-)