Why we built a 0-100 security score for your phone

The problem with security on mobile

Most security tools on iOS and Android are binary. Either your phone is fine, or it's catastrophic. You get a red warning icon or a green tick. What you don't get is nuance, context, or a clear sense of priority.

When I started talking to our early users, the frustration was consistent. They knew their privacy mattered. They'd read the headlines about breaches and stalkerware and rogue permissions. But when they opened their phone, they couldn't tell what actually needed fixing first. They couldn't distinguish between a minor permission leak and something that could genuinely harm them. That's paralysis, not security.

We spent three months interviewing people aged 25 to 45, parents worried about their kids' devices, and small business owners managing company phones. One pattern emerged: they wanted clarity ranked by urgency, not a wall of technical jargon or a generic pass/fail.

Why a credit score made sense

A credit score is a familiar metaphor. Everyone understands that 750 is better than 450. You don't need to be a financial expert to grasp the difference. More importantly, a score invites improvement. It's not a verdict; it's a starting position.

We spent weeks asking: what would a security score actually measure? Not just whether you have permissions enabled, but whether those permissions create real exposure. Not just whether you've been in a breach, but what data was exposed and whether it's circulating on the dark web now. Not just password strength, but whether your passwords are reused across sites, whether two-factor authentication is switched on, whether your DNS queries are leaking.

The 0-100 scale became our way of saying: here's your baseline, here's what's dragging you down, and here's the order in which to fix it. A user with a 42 score doesn't need to understand PKI or certificate pinning. They need to know that three apps have unnecessary contacts access, one device is using an unprotected Wi-Fi, and two passwords show up in breach databases.

Action breakdown, not just diagnosis

The easy part was the score. The hard part was making it actionable.

We could have built a diagnostic tool that tells you what's wrong and walks away. Instead, we made the output one-tap remediation. Each scan breaks down your security into four areas: device security (permissions, stalkerware, encryption), network exposure (Wi-Fi analysis, DNS leaks), app permissions (deep-dive into what each app requests), and breach exposure (are you in Have I Been Pwned, is your data on the dark web, are your passwords weak).

Every finding connects to a fix. Toggle a permission off. Update an app. Change a password. Enable two-factor authentication. For Shield tier users, that includes dark-web monitoring, phishing scanning on URLs and QR codes, and a Wi-Fi analyser that shows whether your network is broadcasting an insecure encryption standard. For Fortress tier users, there's GDPR Autopilot (which files automated data-subject requests with companies holding your personal data), SDK X-Ray (visibility into what third-party code inside your apps is tracking), and voice-clone risk detection.

The one-tap deep-links are crucial. We don't just tell you to change your DNS settings; we open the exact screen in iOS Settings where you do it. We don't just flag that your password manager isn't enabled; we link to the setup page in your chosen app.

Privacy-first, even on the free tier

Early on, we had a choice. We could harvest metadata from every scan to train better detection models. We could build telemetry pipelines to track user behavior. That's how many free apps work.

We chose not to. On the free tier, when you run a scan, everything stays on your device. No analytics. No sending your permission list to our servers. No building a database of how many users have a particular app installed. We made that decision because our core users are privacy-conscious. They'd feel betrayed if we claimed to protect their security while hoovering up their data.

Shield and Fortress tiers do use cloud infrastructure, obviously. Dark-web monitoring requires us to check your email hash against known breach lists. The phishing scanner needs to inspect URLs against live threat intelligence. But even there, we don't store personally identifiable information in plain text. Your email address goes into iOS SecureStore or Android EncryptedSharedPreferences. It never sits in an unencrypted database somewhere.

That constraint made us harder to build, but cleaner to live with.

What happens when a credit score changes

One thing we learned from credit scores is that volatility matters. Your FICO score can drop 50 points in a month if you miss a payment. That clarity creates behavior change.

ARK works similarly. If you install an app with aggressive permission requests, your score might drop 8 points. If you enable two-factor authentication on your most-used accounts, it goes up 12. That feedback loop is why the score works. You're not reading a blog post about why permissions matter; you're watching your own score respond to your own choices.

Parents use this feature to understand what's happening on their kids' devices. Small business owners check multiple team phones and see whose setup is creating risk for the group. Someone who's been in a breach uses it to track whether their exposed data is being weaponised (that's the dark-web monitoring in Shield) and to see whether they've changed their practices enough to bring their score back up.

The conversation we wanted to have

Mobile security shouldn't require a PhD in cryptography. It also shouldn't reduce to a simple binary warning. Real security is granular. It's contextual. It's different for a parent, a journalist, a business owner, and a teenager.

We built ARK: Mobile Security Score because we wanted a tool that met people where they actually were: confused but willing, concerned but overwhelmed, wanting to care about their privacy without needing to become an expert. The 0-100 score is just the interface. The real work is the action breakdown underneath, the one-tap fixes, and the weekly re-scoring that shows you whether your choices are moving you in the right direction.

That woman from the Zoom call? I hope she's using ARK now. I hope she opened it, saw her score was 38, tapped through to find that five apps had contacts access they didn't need, and fixed them in two minutes. That's the conversation we wanted to have.