Why We Built Privacy Risk Score Per App

The Problem With Lists

When we first sketched Guard, we thought permission lists would be enough. Show users what each app could access. Let them decide. It felt elegant in theory, honest in principle. Then real people started using it.

Most of them had between forty and seventy apps installed. Seeing the full permission manifest for each one created paralysis, not clarity. A user would open Instagram, see it requested access to Photos, Camera, Location, Contacts, Microphone, and Calendar. Then open TikTok and see almost the same list. Then open LinkedIn. Then Maps. Each app looked equally risky because the permission lists didn't tell you anything about context, necessity, or actual exposure.

One user told us she'd started thinking of her phone as 'basically a spyware device' after thirty minutes with the unscored list. That wasn't helpful. That wasn't our goal. We weren't trying to scare people into inaction.

A Score Needed Logic, Not Just Fear

We spent a week just arguing about what Privacy Risk Score should measure. Some of the team wanted to weight everything equally: five permissions equals a five out of ten. Simple. Fair. Wrong. A weather app requesting Location is fundamentally different from a social network requesting your Contacts list and Camera. Same permission; wildly different risk profiles.

We looked at what people actually cared about. Sensitive data: your location, contacts, photos, health information, clipboard access (which we learned was a vulnerability vector after iOS 14). Necessity: does the app logically need what it's asking for? Context: is the request tied to a core function you've chosen to use, or buried in the background?

The score that emerged wasn't arbitrary. An app gets a higher risk rating if it asks for sensitive data it doesn't obviously need. Instagram requesting your exact location? Higher score. A fitness tracker requesting your health data? Lower score, because that's why you installed it. Maps requesting Contacts? Red flag.

What the Score Actually Tells You

Here's what Privacy Risk Score is, and what it isn't. It's a starting point for a conversation with your own phone. It's not a threat level. It's not a judgment about whether you should uninstall something. It's a signal: this app is asking for access to sensitive information. Do you understand why? Are you comfortable with it?

The moment someone sees a permission flagged in Guard, they can tap it and jump straight into iOS Settings. They can revoke it. They can test whether the app still works without that permission (spoiler: it usually does). That's the real power. The score gets you looking; the deep-link gets you acting.

In Personal Pro, we added real-time alerts. If an app changes what it's requesting, you'll know. We also added the data exposure profile, which shows you a bird's-eye view of which categories of data across all your apps are exposed. That matters more than individual scores once you start paying attention.

The Mistake We Almost Made

We were close to shipping a score out of one hundred. Felt more scientific. Then a user in our beta said, 'If something's an eight out of one hundred, is that okay?' We realised a hundred-point scale made people overthink it. Ten felt right. It's simple enough to understand at a glance but granular enough to tell you when two apps differ meaningfully.

We also almost weighted it by app category, assuming everyone cares the same about everything. But a parent monitoring her kid's devices cares about different permissions than a journalist handling sensitive sources. So we built it to be readable as-is, but also to adapt once we start collecting real data on how people engage with it.

That's the honest version: we guessed. We tested. We fixed it based on what real people said. And we're still learning.

What It Can't Do, and Why That Matters

Let me be clear about the limits. Guard isn't a system-level permission auditor. iOS prevents any third-party app from seeing what permissions other apps actually have at runtime. We're not reading your device; we're showing you what apps say they want to access based on what they declare in their app store listings and what we know from testing. It's education, not espionage.

The score doesn't catch every risk. It won't tell you if an app has a zero-day vulnerability. It won't detect if a developer is selling your data through a sketchy analytics backend. It won't know if your location is being logged to a server in a country with no privacy laws. What it will do is make you stop and think about Instagram having both your Camera and your Contacts before you've ever thought about it.

For people who want deeper visibility, Personal Pro adds clipboard safety checks (which catch apps silently reading what you've copied) and tracking app details that show you where your data is flowing. For parents, the Family tier lets you manage six devices from one dashboard with actual child controls built in.

Why This Matters Now

We built Guard because phones have become the most personal device most of us own. More personal than a diary. You're storing photos, messages, location history, health data, banking details, and intimate moments on something that's running code from hundreds of companies you've never met. The operating system tries to protect you with sandboxing. It's genuinely good. But good isn't enough anymore.

A score per app makes privacy a conversation instead of a checklist. It tells you: this needs your attention. Not in a way that demands you become a security expert. In a way that says, here's what you're trading for the functionality you want. Now you decide.