rudism.com/exploiting.html

53 lines
12 KiB
HTML
Raw Normal View History

2024-01-10 11:52:13 -06:00
<!doctype html>
<html lang='en'>
<head>
<title>Exploiting Android Users - Rudis Muiznieks</title>
<meta charset='utf-8'>
<meta name='viewport' content='width=device-width, initial-scale=1.0'>
<link rel='stylesheet' href='/article.css'>
<link rel='icon' href='/avatar.webp'>
</head>
<body>
<header>
<p><a href='/'>&larr; Return</a></p>
</header>
<article>
<h1>Exploiting Android Users</h1>
<h2>A Dark Past</h2>
<p>Im going to tell you about some stuff Ive done that Im not particularly proud of. This happened during a period of my life when I was working for a company in the advertising industry. The company already had a pretty strong handle on the email and display advertising markets, but the team I was hired into was a newer group whose job was to break into the desktop advertising game.</p>
<p>It may not be immediately apparent to you what I mean by “desktop advertising,” but I can guarantee that youve run into it at some point before. Every time your Grandma calls you up on the weekend complaining that her computer is running slow, and you fire up her copy of Internet Explorer 7 to find that shes got twenty different toolbars installed, youve encountered the kind of thing my team was working on. Every time youve tried to install some open source software through a Google link, didnt pay attention to checkboxes in the installer, and ended up with half a dozen useless registry scanners, disk cleaners, and so-called “anti-malware” programs unintentionally installed on your computer, you may have me to thank for that.</p>
<p>By way of apology, if you ever meet me in real life, Ill buy you a beer. Promise. Just please try to resist the urge to punch me. I am very sorry for my involvement in everything that you are about to read.</p>
<p>As morbidly interesting as the desktop side of things might be (I may expand on it in a future post), Im going to tell you a little bit about what we eventually branched into after the desktop business had settled into a stable channel of revenue for the company. Namely, mobile advertising.</p>
<h2>First Attempts</h2>
<p>The advertising industry is largely driven by plagiarism—you look for a money-making model thats working well for someone else, then copy it. If you get in early enough and “drive a truck through it,” as one of my managers used to say, you stand to make a lot of money before rising competition turns it into a race to the bottom and profits dry up. Thats how we approached advertising on mobile at first.</p>
<p>Our first product was an “app-a-day” app for iOS that offered users a free app every day (the implication being that the offered app would otherwise not be free). There was another app called AppGratis that was doing pretty well and we wanted some of that action.</p>
<p>Our app was a flop straight out of the gate. The development philosophy while I was there involved pumping out production-ready products within a day or two—if something was going to take longer than that to get into the wild then it wasnt worth doing. This meant that most of what we did (including this first iOS effort) was a buggy mess. The idea was that we would throw this low-effort proof-of-concept at the wall and see where it stuck best, then quickly iterate and fine-tune it to maximize profits.</p>
<p>This one didnt really stick at all. Probably due to the fact that all of our “offers” were games and apps that a) nobody wanted and b) were already free on the app store. We didnt make any effort to provide actual value to users, and we didnt provide any value to the publishers because nobody was using our app. The whole thing ended up being moot anyway, because shortly after we got into the App Store, Apple <a href='https://web.archive.org/web/20161026210745/http://appgratis.com/blog/2013/04/09/appgratis-pulled-from-the-app-store-heres-the-full-story/'>yanked AppGratis</a> and basically banned all “app-a-day” style apps forever. Pay attention and youll soon discover that this is the start of a common pattern.</p>
<p>Our struggles with Apples iron fist and how long it took to get new changes into the App Store left a sour taste, so we decided to move on to Android. The big money on Android at the time came in the form of push-ads—these were the ads that would appear in your notification center, even when the app that generated them wasnt running. A company called AirPush more or less had the market cornered on push-ads, so we set out to emulate them and carve out our own little corner.</p>
<p>Since my company already had a vast supply of ads through its email and display channels, it was pretty easy for me to churn out a quick proof-of-concept SDK for Android that would tap our existing ad feeds and push them into the users notification center. From there on it became a game of attracting developers to use our network, and optimizing the SDK and ads to maximize profits. It went okay, but developer acquisition was a problem we never really cracked—probably due to our unwillingness to actually put any effort or quality control into anything that we did (improving the quality or “feel” of a product didnt directly lead to increased profits, so it was generally frowned upon and discouraged).</p>
<p>And then Google <a href='https://web.archive.org/web/20210614204419/https://www.nextpit.com/play-store-bans-ad-apps'>dropped the ban-hammer</a>. Push-ads were outlawed. This cut deep enough into profits that it was no longer worth spending time or resources on supporting the ad network, so we basically moved on.</p>
<h2>The Collision of Two Worlds</h2>
<p>This is when we strayed from the usual path of identifying an existing market to jump into and actually developed something that was, as far as I know, pretty novel. As I mentioned earlier, we had already developed desktop advertising into a thriving channel of the business, so we came up with a way to piggy-back mobile distribution into our existing desktop distribution model.</p>
<p>Once again I pumped out a quick and dirty proof-of-concept—this time in the form of a Windows app—that we would distribute through our desktop installer network as another checkbox for people to miss. This new app would sit in the users system tray, silently running in the background.</p>
<p>What did that app do, you ask?</p>
<p>If you have an Android and have spent any time looking for apps in Googles App Store from your desktop computer, you may have noticed that there is an “Install” button which, when you are signed in, lets you install apps directly on your phone. You click the button on your desktop, the app automagically appears on your phone. You can probably guess where this is going.</p>
<p>Web browsers dont really do a great job of protecting their cookies on your computer. Theyll go to hell and back protecting them from web-based attacks, cross-site scripting, injected iframes, etc. But once youre actually on someones computer—once theyve trusted and executed your code—getting their cookies is trivial; IE stores them as a bunch of plain-text files in the users directory, and Firefox and Chrome store them in unprotected plain-text SQLite databases (or did at the time, anyway).</p>
<p>So my new little desktop app, which was quickly distributed to millions of unsuspecting checkbox-ignoring users, would “borrow” their existing Google session by reading their browser cookies, then invisibly “click” that App Store install button for them on apps that were paying us for distribution. We started off with opt-in screens and notifications, letting the user know that they have signed up for our free “app discovery” platform and we just sent them a new app, but we quickly learned that if the user became aware of what was going on at any point in the process, they would remove our app and wed lose them as a user (a-duh!). Over time, those notification and opt-in screens were “optimized” away as much as possible. They already “agreed” to our 23 page EULA when they were trying to install Paint.NET but accidentally clicked the wrong download button anyway, right?</p>
<p>Calling it an “app discovery” platform soon took on a new meaning for us. Usually thats biz-speak for a service that helps users discover new apps that they want to use, but normally wouldnt find because theyre buried too deep in the App Store. In our case, it meant users would wake up in the morning and “discover” new apps on their phone with no idea how they got there.</p>
<p>Several of the first apps we pushed were our own tracking apps that would allow us to call home and gather statistics about our users. The nature of the product meant that those apps had to be available through the Google App Store—you can probably imagine what the comments and ratings looked like on those apps. I certainly learned a few new profanities and insults. I also learned how good Google is at banning developer accounts. A particularly low point for me was talking to a Google employee through a newly-generated VOIP phone number under an assumed name, trying to activate a new developer account with a pre-paid credit card and a made-up address several states away. Logging in and managing the developer account had to be done remotely through an Amazon EC2 instance, since our offices IP address was perma-banned.</p>
<p>It was around that time I started looking for a new job.</p>
<h2>No Excuses</h2>
<p>The stuff I worked on in that job was complete horseshit. It provided absolutely zero value to anybody. It existed and was expressly optimized for the sole purpose of exploiting non-tech-savvy computer users to generate undeserved profits. We all very much understood that our “users” were generally unaware that they were a source of revenue for us (this was considered a good thing) and it was often joked about. I knew this the whole time I was working there, and I felt shitty about it, but for a couple years not shitty enough to keep me from selling out for a reasonable paycheck, three free lunches every week, and good benefits.</p>
<p>Ive since moved to a new state, a new job, and a different (less soul-sucking) industry, and feel really, really good about that decision. Im now working on things that actually provide value to the users. If theres a moral to this story, Im not entirely sure what it should be. Maybe that “will it pay the bills?” shouldnt be your only consideration when exploring new job opportunities. “Could I live with myself?” should be somewhere up there too.</p>
<p>I have no idea if any of the things I helped build are still alive out there. When I left, we still had problems identifying good users to push our desktop app to—it had to be someone who owned an Android, was logged into Google on their desktop, and had enabled the ability to push apps from the App Store to their phone. This is a small segment of the total universe of desktop users, meaning that even though we were able to make insane amounts of money off the users we got, we werent able to get that many users. With the never-ending Google account closures to boot, it wouldnt surprise me if that product was eventually tossed into the heap along with our other failed endeavors to make way for the next million-dollar-idea. Though, the last thing they had me working on before I left was reverse-engineering how iTunes installed apps in the hopes of developing a similar distribution model for iOS. We knew it was possible because there were a couple Chinese products out there that could push signed apps directly to iOS devices already.</p>
<p>Ill end this post by once again apologizing for everything I did while working there. It is a definite fact that I made thousands (at least) of peoples lives a little bit worse through my efforts, and that still bugs me. But thats okay—hopefully it means I managed to escape with my conscience still somewhat intact.</p>
<p>So please, tell your Grandma Im sorry. And to upgrade her browser.</p>
</article>
<footer>
<p>Copyright &copy; 2015 Rudis Muiznieks.</p>
</footer>
</body>
</html>