What Your Security Credit Score Actually Measures
Last month, a user emailed us. She'd just opened ARK, seen her score drop from 78 to 64 overnight, and wanted to know what had changed. The answer turned out to be a single app she'd installed that morning. That conversation is why I'm writing this.
A number without context is just noise
When we launched ARK's security credit score, we knew we were borrowing a concept from financial services. Everyone understands a credit score between 0 and 100. It's familiar. But familiarity can be dangerous if the thing being measured stays opaque.
A financial credit score reflects your repayment history, debt levels, and credit mix. It's backward-looking data compiled by institutions into a single number that matters for mortgages and loans. A security credit score has to work differently. It's forward-looking. It's measuring your device's current exposure to real threats. And it has to be something you can actually act on in the next five minutes.
So we built the score to measure four specific domains: device security, network exposure, app permissions, and breach exposure. Each one maps to a category you can see, understand, and fix. If your score drops, you're not staring at an inscrutable black box. You see exactly which category changed and why.
Device security is the foundation
This is the easiest part to explain and the hardest to get right. Device security looks at whether your phone's basic defences are actually switched on. Are you running the latest OS? Is your passcode strong? Is your biometric lock enabled? Have you disabled developer mode? Are remote wipe capabilities active?
We don't run antivirus scans. We're not checking for malware files. What we're checking is whether you've left doors unlocked that malware could walk through. The user who emailed us had installed a banking app that requested unusual permissions. Her score dropped because we flagged it in the app permissions section, but her device security itself hadn't changed. That distinction matters because it tells her where to look and what to do about it.
This is also where we check for stalkerware. It's the only scan that runs free for everyone, across all tiers, because it's the one thing that can genuinely compromise your physical safety. We see users checking their partners' devices, their teenage children's phones, devices they suspect have been compromised. That check exists because stalkerware isn't a score bump or a warning. It's a red line.
Network exposure is about what's listening
Most people think their network security begins and ends at their Wi-Fi password. The score measures something closer to the truth: whether your device is leaking data across networks it shouldn't be.
We look at DNS leaks, which happen when your device queries for web addresses outside the tunnel it's supposed to be using. We check whether your 2FA tokens are actually secure, not just whether you've enabled 2FA. We analyse your Wi-Fi connections to spot networks with weak encryption or suspicious setups. These aren't theoretical risks. A DNS leak on public Wi-Fi means ISPs and network administrators can see your browsing activity. A vulnerable Wi-Fi network means anyone in range can intercept your traffic.
The score in this section rises when you've tightened these gaps. It falls when you connect to a sketchy network or when a device update accidentally resets your 2FA settings. We show you both, because context is everything.
App permissions are where most people get it wrong
Here's a hard truth: almost no one understands what they're granting when they tap 'Allow' on a permission prompt. You install a flashlight app. It asks for access to your contacts. You're in a hurry. You tap 'Allow' because you don't want to disable the feature.
The security credit score doesn't judge your choices. It reports them. It tells you which apps have which permissions and flags the ones where the permission seems misaligned with what the app does. A weather app that wants access to your camera. A note-taking app that wants your location history. A game that wants your call logs. These requests aren't always malicious, but they're worth knowing about.
We also check what's happened to apps you no longer use. People forget about apps. They delete the icon but never uninstall. An old app from three years ago that you never opened still has permissions. It still could be phoning home. That gap between 'probably fine' and 'actually fine' is where security breaches live.
Breach exposure is about your past catching up
Your score includes whether your email address or phone number has appeared in a known data breach. We cross-reference against the HIBP (Have I Been Pwned) dataset. If your information has been leaked, you know it. If it hasn't, that's good. But the score doesn't stop there.
Fortress users can check the dark web. We monitor places where breach data gets traded, sold, and reused. If your credentials have surfaced in criminal markets, that's a different kind of urgent than a historical breach. A historical breach might mean your old password from LinkedIn is floating around. Dark-web exposure might mean someone is already trying to use your information right now.
The score reflects that difference. A historical breach pulls the score down, but it's predictable and manageable. You change your passwords and enable 2FA. A dark-web flag is rarer, more serious, and demands immediate attention. The score tells you which one you're facing.
Why the score matters more than the number
The real value isn't in hitting 85 or staying above 90. It's in understanding what changed and why. We built one-tap remediation deep-links into every scan because knowledge without action is worse than useless. It's frustrating.
When that user saw her score drop from 78 to 64, she knew immediately: the new app was the culprit. She saw the permission request. She had options. She could uninstall, she could revoke the permission, or she could keep it and accept the risk. That's security credit scoring done right. The score becomes a tool for making informed decisions, not a badge to display or a number to obsess over.
It's also why we don't hide these numbers behind paywalls. The free tier shows you the score and runs the permission check and stalkerware scan. You get to see what's happening on your device without paying anything. The Shield and Fortress tiers add depth: breach history, dark-web exposure, GDPR automation, password health. But the foundation score is available to everyone because everyone deserves to understand their own device.
Your security credit score is only useful if it explains something you didn't know about your phone and gives you a way to act on it. Does the score you're looking at do either of those things?
Ready to try ARK by MRVL?
One tap to download. No sign-up wall.