After more than a decade of certifying that websites were safeguarding users’ privacy, Truste Inc. is moving into an area that it says is even riskier: mobile-phone applications.
People take their phones for granted, says Chris Babel, chief executive officer of San Francisco-based Truste. The trouble is, mobile applications can tap into the phone’s capabilities to monitor your every move. “With the wrong app, you realize that it’s a GPS tracking device,” he said.
Truste, which began as a nonprofit in 1997 and then switched to a for-profit business two years ago, wants to reassure users that apps are safe -- while opening up a lucrative new market for itself. It announced plans in September to sell certificates to companies that vouch for an app’s privacy protection. Truste has since signed up more than a dozen customers, including GoDaddy.com Inc., Weather Channel Interactive Inc. and Yelp Inc.
Until now, Truste and rivals such as Symantec Corp. and VeriSign Inc. have focused on personal-computer websites. The companies offer seals of approval that customers place on their sites -- something like a Better Business Bureau certificate -- to show that consumers can safely shop there and share their personal information.
The growth of smartphones and mobile apps has attracted scammers, who once stuck mostly to PCs, said Maribel Lopez, founder of San Francisco-based Lopez Research LLC, which tracks the mobile industry. That includes phishers, who try to coax people into revealing personal information by making a message or website look like it came from a real company, such as a bank.
“The people that do malware, or phishing, haven’t been bothering with mobile to the same extent as they had with other PC platforms,” she said. “Well, all that’s changing now, because everyone has a mobile device, if not several.”
More than a third of Americans now access the Internet on their mobile phones, according to an October survey by the National Cyber Security Alliance and Symantec. Less than half of respondents said they felt very or somewhat safe. Almost a quarter said they used apps that track their location, and 12 percent regularly use their mobile phones for banking.
While Truste provides a seal of approval for an app’s privacy policies, it doesn’t offer a guarantee of security. That means a user’s credit card could still be stolen. It also isn’t alone in verifying that apps protect users. Apple Inc., which runs the biggest app store, does its own vetting of software developers.
“We have a very thorough approval process and review every app,” said Natalie Harrison, a spokeswoman for Cupertino, California-based Apple. “We also check the identities of every developer and if we ever find anything malicious, the developer will be removed from the iPhone Developer Program and their apps can be removed from the App Store.”
Apple has more than 300,000 apps, and users have downloaded more than 7 billion of them to their iPhones, iPod Touches and iPads, Harrison said.
Microsoft Corp. and Google Inc., which also run app stores, have their own approaches. Microsoft uses a multistep process that requires app publishers to get their identity verified, said Todd Brix, a senior director at the company. Then Microsoft reviews and tests the app for five days before publishing it.
Symantec provides the identify verification and code-signing certificates for Microsoft, through a business it purchased from VeriSign this year for $1.28 billion.
“That’s what we believe is good practice,” said Tim Callan, head of Symantec’s trust-services product marketing. The store for Google’s Android apps doesn’t require that, he said.
“The Android platform allows what we call self-signed code,” meaning the app publishers themselves vouch for it, Callan said. That makes it more vulnerable to outside attacks, he said. “That is a bad model, an untrustworthy model.”
Randall Sarafa, a spokesman for Mountain View, California-based Google, declined to comment.
Certain types of apps are riskier than others, said Mandeep Khera, chief marketing officer of Santa Clara, California-based Cenzic Inc., a seller of security software for Web applications.
“It’s OK to play games,” he said. “But when you’re dealing with your personal finances, and very confidential information that hackers are drooling over, I would stay away from those applications for now.”
Some apps promise to scan programs on phones for potentially harmful software. Symantec’s Norton Mobile Security app, for instance, works with Android. The free program has been downloaded 40,000 times.
San Francisco-based Lookout Inc., which has raised more than $15 million since its founding a year ago, also offers such an app. It works on Android, BlackBerry and Windows Mobile phones. The company has more than 3 million registered users.
Truste may be able to carve out its own niche, so long as it can assure users that apps keep tight control over their personal information, said Chenxi Wang, an analyst at Cambridge, Massachusetts-based Forrester Research Inc.
“There is a value to be added there,” she said.
Babel, who was named CEO of Truste almost a year ago, came from VeriSign’s worldwide authentication services business. Truste will generate $10 million or more in revenue this year, he said.
The closely held company, which raised $12 million in funding in June, will continue to provide seals to websites. Prices for certification seals depend on the size of the organization, and can range from $500 to more than $100,000, Babel said. Truste has certified 3,000 websites.
“It helps people understand pretty clearly and quickly,” she said.