SafeApp Certificate aims to provide a clean bill of health for Android apps

By Nathaniel Mott , written on March 1, 2013

From The News Desk

SafeApp Mobility founder Joe Santilli is the first, and hopefully last, person I’ve interviewed to compare downloading an app to having unprotected sex. Normally the only way to follow a sentence like that would be “So… that happened,” but I’m told that y’all want something called a “backstory” and “news,” so here goes.

SafeApp Mobility has announced the SafeApp Certificate, an SDK that Android developers can build into their applications to inform users of how they use their data, who can access that data, and what the app is allowed to access on their phone. If, say, an app uses an advertising platform that collects data to serve more relevant ads, users would be able to see that information by accessing the app’s SafeApp Certificate. (Don’t worry, I’m just as sick of typing that as you are of reading it.)

Santilli says that he decided to develop the “Certificate” after having one of his developers download and examine 1,000 apps from the Play Store and see how much data they gathered and where it went. Android apps are required to ask users for permission to certain features or services, such as location, contacts, and Web browsing history, but developers don’t have to disclose what the app is doing with that access.

After seeing the data apps are able to give to third-parties without users’ knowledge, Santilli says his first thought was “Wow, this feels like having unsafe sex. I know the app probably isn’t doing anything bad with my data, but when they hand it off to other ad networks…” he trails off. “If you’re having sex with your app developer you’re having sex with everybody they’re having sex with, and everybody they’re having sex with.”

So he decided to build a tool that would allow developers to be more transparent with what their apps do with user data.

“I think consumers have a right to know who’s looking at their data and why,” Santilli says. “If you really look at the [app] business today, most of the markets for these apps aren’t doing anything untoward with [user] data.” Still, he says, a little bit of transparency goes a long way.

Apps that utilize the Certificate consent to having SafeApp Mobility scan the app for malware, what kind of access it needs to the users’ smartphone to function, and who it shares data with. Developers are able to annotate the Certificate to explain why an app needs to access or share what it does, but are otherwise unable to modify the Certificate. This ensures that both developers and SafeApp Mobility are upfront, Santilli says, and offers users a look at what they’ve just installed.

Developers pay between $0 and $10,000 per year for the Certificate, depending on the number of people using their app. Most will be able to use the free tier, Santilli says, but viral apps and those developed by large companies will subsidize that category.

Santilli says that SafeApp Mobility conducted two tests to determine how the Certificate might affect retention and engagement. As the industry shifts from a paid distribution model to a free model monetized via in-app purchases (see: Supercell’s “Clash of Clans,” “Real Racing 3,” among countless others) retention can mean the difference between strong revenues and bankruptcy.

The conversion installation rate of apps mentioning the SafeApp Certificate in the Play Store was 10 percent higher than the same app without the mention, Santilli says. Then, of those who installed the app, 31 percent more kept using the app after the first 24 hours, which is when most people decide if an app will remain on their devices.

SafeApp Certificate is COPPA-compliant, which means that it follows the guidelines imposed by the FCC for young users. (Path recently reached a settlement with the FTC for violating COPPA by gathering kids' personal information without parental consent.)

All told, the Certificate sounds like a solid idea that might be thwarted be sheer laziness. Despite the stink that's been made over privacy issues, from Address Book-gate, Location-gate, and "Thing that hasn't happened yet but when it does it will be appended by gate"-gate, for example, there's typically a lot of hemming and hawing by companies and consumers until the issue is patched up and forgotten.

Or, to continue with Santilli's metaphor: We all know that engaging in physical relations (or whatever, non-politically correct way you might put that) is risky, but that doesn't mean we're going to stop and demand a bill of health from everyone we... engage with. We should, and we know that, but we don't.

If the SafeApp Certificate is able to make a real difference, as the company claims that it will, great. But I wouldn't count on every app developer or consumer demanding protection until it becomes more of a hassle to not have the Certificate, or something like it, than it does to sign up and use the tool.