The case for Privacy Risk Score per app
Three months before we shipped Guard, a user emailed us asking a question we couldn't answer with existing tools: "Which of my apps is actually the worst offender?" We'd looked at permission dashboards before, permission-by-permission breakdowns, even threat databases. But nobody was saying: this app, on your phone, right now, is a higher privacy risk than that one. We realised the gap immediately.
The problem with lists
iOS gives you permissions. Apple's Settings app lists them. You can see that Maps wants Location, that Photos wants Camera, that Facebook wants Contacts. But what you can't see is the weight of those combined permissions across each app. Is Spotify more or less trustworthy than your banking app because it wants Bluetooth? How do you compare Instagram's access to your photo library against TikTok's access to your microphone?
Most people don't compare at all. They install, they tap 'Allow', they move on. The permission systems work, in the sense that you can revoke them. But they don't help you decide what matters.
We built the Risk Score to answer that gap. For each app in the demo set, we score based on what that app is requesting and what it could theoretically access. A notes app requesting location, microphone, and camera gets a higher score than a weather app requesting only location. A social app with access to your contacts, photos, and clipboard gets a different colour than a game with access to nothing.
It's not a magic number. We're transparent about what goes into it. But it gives you something iOS settings don't: relative risk at a glance.
Why 'per app' matters more than you'd think
We could have built a single security score for your phone. A big red number that says "you're 64% exposed". It would feel important. But it would be useless.
A single score tells you nothing about what to do. It's like being told your car has a problem but not which engine component is failing. You're worried, but paralysed.
Individual scores flip that. They let you rank. They let you decide: I'll accept this risk from my banking app, but not from that random puzzle game. I trust Spotify with my location, but not with my contacts. You can't make those trades if you don't see each app separately.
We built the deep-link to iOS Settings into the score for exactly that reason. Tap a flagged app, and you land in Settings where you can actually revoke something. The score becomes actionable in seconds. You're not just reading a report; you're making a choice.
What changed when we shipped it
The Risk Score went live in the Free dashboard in mid-September. We'd tested it. We knew it worked. But we weren't prepared for how people used it.
Within the first week, users started messaging about specific apps they'd never questioned before. A photo editing app flagged as medium-risk because it wanted location and clipboard access. A fitness tracker requesting contacts. None of these apps were doing anything wrong in the legal sense; the permissions were what they needed to function. But seeing them scored against each other made the choice visible.
One user told us she'd installed a messaging app on her daughter's phone without thinking. Saw the Risk Score, checked the permissions, saw it was requesting full camera and photo library access. She revoked it, switched to something else. That conversation wouldn't have happened without a number forcing her to look.
We also learned what we weren't scoring. iOS sandboxing means we can't see what apps are actually doing with permissions once granted. We can't know if they're selling your data or just using it for features. The score reflects potential, not behaviour. That's why we're explicit about it. The Free dashboard is a demo, a prompt, an educator. Personal Pro adds real-time alerts so you catch actual permission changes as they happen. Different tools for different concerns.
The score as starting point, not ending
We don't want you to obsess over numbers. A high Privacy Risk Score on an app you genuinely need and trust is fine. Installing Signal because it has a low score would be silly if you don't actually use it.
What we wanted was to make privacy a decision, not a default. Right now, most people's relationship with app permissions is: install, get prompted, tap Allow or Don't Allow, forget about it. The interface works, but it treats each permission in isolation. You're not thinking about the collective exposure.
The Risk Score forces a moment of thought. It says: this app is asking for more from your phone than most apps do. Before you forget about it and move on, decide if you're OK with that.
In Personal Pro, we layer on real-time alerts so you're not just making a decision once. If an app changes what it's asking for, you get notified. That's when the score becomes part of a larger picture of attention.
Why we kept it simple
We could have built a complicated scoring algorithm. Weighted location access higher than microphone access. Added reputation data. Created user-preference profiles. The temptation was real.
We didn't. The Risk Score is straightforward: what's the app asking for, and how many permissions is that relative to what most apps need. Transparent, repeatable, and something you can reason about yourself.
Complexity would have added false precision. It would have felt more authoritative. But it would have been less useful. A user looking at a score of 73 versus 68 shouldn't trust us to have figured out which really matters to them. They should see the permissions, understand the reasoning, and make their own call.
That simplicity also means the score doesn't change based on our business interests or partnerships. We're not subsidising well-funded apps or penalising competitors. The logic is visible. If you disagree with how we score something, you can see why and decide whether our framework matches your priorities.
Most apps you trust are probably fine. But do you actually know which ones you've trusted, and what they're asking for? That gap between assumption and clarity is where the Risk Score lives.