Security Experts:

Cloudflare Launches New App Store for Websites, $100 Million Development Fund

Cloudflare Launches New Website App Store and Partners With Venture Firms to Launch $100 Million Development Fund

In December 2016 Cloudflare acquired Eager, a firm with a system for developing apps and integrating them into websites. The outcome of that acquisition is launched today with Cloudflare Apps, a free platform that enables developers to build apps and make them available to the 6 million websites that use the Cloudflare network.

In effect, Cloudflare is relaunching its own app store; but in a format that it now intends to grow. It has partnered with its first three venture capital investors to support app developers from a new $100 million Cloudflare Development Fund. Qualified developers will now have the opportunity to receive a cash investment, marketing support, and technical advice from the participating venture capital partners. 

That financing is in the same tradition as that used by Sun when it launched Java, by Apple when it launched the Apple Apps Platform, and by Salesforce when it launched force.com. "When we discussed our plans with our investors," Matthew Prince, co-founder and CEO of Cloudflare, told SecurityWeek, "it was their idea to establish financing to help developers produce the next big idea in value-added apps. Now, if a developer is interested in building some new app only made possible by the Cloudflare network, it can apply for financing to help make it possible."

The investors concerned are New Enterprise Associates (NEA), Venrock, and Pelion Venture Partners. Cloudflare's app platform is an exciting opportunity for developers and investors," commented Bryan Roberts, Partner, Venrock. "Building on the success of other app platforms like Java and the iPhone App Store, Cloudflare is giving entrepreneurs the opportunity to rethink and shape how the next generation of Internet companies get built."

Cloudflare has long offered a few apps, but nothing that could be called a serious app store. This new venture is intended to change that with a completely new platform. "The Apps Platform is a collection of APIs that allow developers to easily produce apps that can run across the network," Prince told SecurityWeek. "It's similar to the platform built by Apple. We make it easy for the developers to produce apps, and easy for them to get paid for those apps. The existing apps will continue to work; but we believe this will enable a whole new class of website apps that couldn't exist without a network like Cloudflare that can efficiently deploy the code globally. The platform allows developers to take advantage of Cloudflare resources around the world, and then be able to make it much easier for anyone, whether a small niche WordPress site or a large organization, to use those apps."

"When you build a startup, you need three things: a way to efficiently reach customers, a way to get paid, and capital to finance your development," explained Prince. Together the Cloudflare Apps Platform and Development Fund solve these three challenges."

The Cloudflare network comprises some 6 million website customers that use Cloudflare's approximately 115 worldwide data centers for security -- such as DDoS mitigation-- and performance optimization. The basic service is free, but more advanced options can be paid for.

The new app service will add app code to delivered customer web pages as the page passes through Cloudflare's data centers. This provides both flexibility and control. Developed apps can be added to websites by customers simply by specifying which sites or pages on which they should run. For the customer, everything is automatic and requires zero coding.

Traditionally, of course, apps provide vulnerabilities. Android itself, for example, is quite secure -- it is that Android apps that can introduce problems to the Android ecosphere. SecurityWeek asked Prince if the new app platform could introduce vulnerabilities either to the Cloudflare network, or its customers.

Potentially, yes, he admitted; but then explained Cloudflare's approach -- which is closer to Apple than it is to Android. "We've taken an approach similar to Apple. We review all apps before deployment, and each one is individually sandboxed and cannot affect any other app," he explained. The control element comes because no code is ever installed on the customer's website, merely added to the page between the website and the viewer's browser. This makes it even stronger than the walled garden, because without hacking Cloudflare itself, there is no possible equivalent to the iOS weak point, sideloading.

"If a vulnerability is ever discovered, much like Apple we can withdraw that application from any customer that is using it and prevent any other customer from using it in the future. So, while there is a potential that an app vulnerability may slip through the vetting and the static analysis that we do before it is delivered, it is never deployed software. The app is code that is running on our hardware and injected into web pages as they pass through our systems; and we can simply turn it off without any effect on the customer's website."

"VigLink [one of the three VC investors] has always focused on empowering publishers, and the launch of Cloudflare Apps is a watershed moment," enthuses Oliver Roup, CEO and founder. Incremental publisher revenue is delivered without compromising user experience, now a single click away from more than 4 million of the web's savviest publishers. A better Internet isn't just faster and safer, it's more lucrative too."

view counter
Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.