new beta readiness review - appesteemblog.appesteem.com/file.axd?file=/msra security partner... ·...
TRANSCRIPT
Betareadinessreview
Learnings,nextsteps,requestforsupport
DennisBatchelderAppEsteemCorporation
July2016
AppEsteemprovidesasafehavenforcleansoftwaremonetizationvendors…
…sowecansqueezeoutthedirtyplayers
whofundtheirbusinessbytrickingandcheatingcustomers
whogrowtheirbusinessbyoutbiddingthecleanplayers
WehelpsecuritypartnersprotecttheircustomersfromPUA
BeforeAppEsteem Certifiedappsmakeabetterworld
BetaReadinessApril- June:Prepare
ü RoadshowwithAVs,platforms,CSA,Complianceofficers(5shows,visits)
ü Recruitdev/researchteam(12onteam)ü Signupinstallers/downloaders/vendors (2
installers,3vendors,6CRXs)ü Figureoutmonetizationplan(feeschedule
socialized)Stillinprogress…
• Establishvalidationandcertificationscorecards(havedrafts)
• DeliverfirstcutofSRCLandseals(SRCLgoingoutnextweek)
• GetmoreSecurityPartnersintobeta(that’stoday)
• LandMOUwithCSAAugust- September:runbetas/pilot
• WindowsPE(August)• CRX(September)
ProvidebasicinfoSignlicenseagreement
MaychoosecompliancepartnerAcceptclientCountersignagreement
Generateappkey
BuildanddistributeappViewtelemetry
Viewtelemetry
Updatebehaviorgraph;alertonanomalies
Anonymize,aggregate,publish
ConstructbehaviorgraphAnonymize,aggregate,publish
Submit/renewvendordisclosureeveryyear
Signoffondisclosureinterview
Investigateandapprove/reject
Viewapproveddisclosures
Submit/renewcertificationrequesteveryyear/everymajor
version
Signoffoncertificationrequest
Analyze,test,andapprove/rejectConstructbehaviorgraph
Generateseal
Viewapprovedcertifications
RebuildwithsealRegisterfinalpackage
Re-certifyandpublish”signature”
Fixappandresubmit SignsoffonchangesNotifyvendorofblockInitiateremediationprocess
Ifblocking:notifywhyConsume“signatures”
Viewtelemetry Viewtelemetry,alerts Viewtelemetry,alerts
Consume“signatures”
Howitworks
$2000
$200
1%ofLTV60
Fee
Whatthebeta(pilot)willmeasure
Measuring
Canweincreasecustomeroffersatisfaction?
Canwereducevendorevasion?
Hypothesis:Offerscreenstrickcustomerstoclickingthroughandleavethemdissatisfied.Sealedappswithcertifiedofferscreenswillleadtobetterinformedandhappiercustomers.
Hypothesis:Today’sinstallersevadedetectionbymorphinghostinglocations,digitalsignatures,productupdates,brandnames,anddomains.Sealedappswon’tneedthis,whichreducesthecosttoprotect
MeasuringsuccessReducedsealedofferstartuprates.Increasesealedapplifetime
Measuring successLessevasion:reducedcertificates,domains,landingpages,productupdatesforsealedoffers
Validation:whereweare
Whatwe’vedone• Collecteddataonourown• Conductedinvestigationsusingpublicdata(Glassdoor,lawsuits,IPownership)
Whatwe’velearned• Disclosuresandvendorcommentaryseemtobethemostappropriateapproach
• Compliancepartnerswillhelp• Structuredinterviewswillreduceourinvestigativetime
WhatweplantogatherandmakeavailabletosecuritypartnersCategory DataStructuralInformation Ownership, DBAs,
Addresses,Contacts,Licenses,sharedownershipcompanies
Business Relationshipsandpotentialconflictsofinterest
Partnerships,Affiliates,trademarkdisputes,areasnotfollowingguidelines
EvidenceofControls Affiliatemanagement,Advertisermanagement,IPprotection.Supplychainmanagement
Attestationsto followingcleanguidelines
Commitments
(Investigationresults) Publicreputation,news,posts
Certification:whereweare
Wherewestarted• Google’sUnwantedSoftwarePolicies
• MMPC’sObjectiveCriteria• CSA’sGuidelines• Inheritedprinciples:Consumersneedconsent,control,andnounpleasantsurprises
Whatwelearned• Missingprinciple:consumersshouldn’tfeelcheatedafterpaying
• Importanttotracktheentirecreative->landingpage->installsupplychain
Addressinggapswe’vefoundGap NewRequirements
No appmonitoringrequirementleavesvendorswithoutverification
AppsmustlinkandnotevadeSRCLlibrary,musthonor“uninstall”command
Greatappscanstillhave badaffiliates,causingsuspensionsbyplatforms
Landingpagesmustblockobscured references,mustpublishaffiliaterestrictions
Normal“next” installflowleavesconsumerssurprised
Unrelatedoffersmusthaveunselected radiobuttonswheretheconsumermustchoosetocontinue
Need bettercontexttodoafairevaluation
Requireapps tosubmitavalueandmonetizationstatement
In-product upgradesneedevaluation
System utilitiesmusthaveareputable3rd partyvouchingfortheirvalue
Ad injectionhasstandardstoo SetthetoolbarbitforAppNexusauctions/equivalent
Theseal:whereweare
Wherewestarted• WeheardconcernsofusingTaggants• Weplannedtorollourownsealto
supportourcapabilities
Whatwelearned• Weneedtobeopenandallow
competitors• Weneedtoreduceimplementation
friction• SeveralAVsalreadyimplemented
Taggants• Bettertopatchholesthanintroduce
brand-newsecurity
Taggant implementationplan• Singlesigner(AppEsteem)• Newdatainside:distributionrights,
certifications,vendorattestations
Identification Taggant v2info
DistributionRights
W3C’sORDL-JSONformat
Certifications Guidelines/versionnumbers
Vendorattestations
ValuestatementMonetizationstatement
Two-phasecommit1) Vendorsignsapp,submits2) AppEsteemcertifiesandbuildsseal3) Vendorpackagesseal,re-signsapp4) AppEsteemregistersapp
Monitoring:whereweareWhatweplanned• EasylinkingwithourSelfRegulatingClient
Library(SRCL)• WorkwithPEs,CRXs,APKs• Reportheartbeat,timetolive,blocks,
anomalies• EasywayforSecurityPartnerstoreport
problems
BuiltforPEfiles• UsingMicrosoftDetours,auto-injectunsealedchildprocessestomonitorregistry,file,process,(soonnetwork)
• Screenshotsamplestocaptureoffers
BuildingforCRXs• CRXs:usingAspectJS tomonitor• Screenshotsamplestocaptureadinjection
Buildingabehaviorgraph
Category DataApp Information • Provenance
• Landingpage• Identification• Install locations
Components • Libraries• Children• Parents
Actions • Processes• Libraries• File, registry,process• Cookies,bookmarks,history,
tabs• Defaultoverrides• Advertising
Remediation:whereweare
Wherewestarted• Goalistoencouragetherightbehavior• Hopetoneverneedtousethenuclearoptions
Whereweare• NeedslotsofIQinvestmenttogetthisright
Remediationthoughts:proportionalandescalatingresponse
Stage ActionsStopbadbehaviorimmediately
• Security Partnersblocknewinstalls
• Vendorinformedofspecificreasons
• Blocknewsealsfromvendor
Demonstrateurgency • Throttled/targetedremovals
• DeepinvestigationsRevokeapp • FullremovalsRevokecompany • Fullcleanup
SecurityPartners:timetocommitJRegisterasaSecurityPartner
• SecurityPartneraccessisFREE• http://appesteem.com ->REGISTER• Signourpartnershipagreement(we’llsendoutnext
week)
Whatyouget• Validatedcompanyandsealedcertificationdisclosures• Accesstosealedappsandanalysisresults• Distributionandbehaviortelemetry• Signaturesandonlinechecks
DuringBeta:pre-signoff• We’relearningthistogether:wewanttogetitright• ValidationandCertificationdisclosures
• Wewanttopivotasnecessary• Everyinstallpackage
• Wewanttoensureourbehaviorgraphsarecomplete• Worktohelpusgetremediationright
• Wewanttoputseriouspressureonthebadguys
http://[email protected]
@appesteem