App review extortionists

I was just reading up on App Reviews in light of another thread, then I came across this reddit page

http://www.reddit.com/r/androidapps/comments/194y4n/just_a_warning_that_there_are_people_out_there/

Excerpt
"I got an email from some guy who was saying he can post as many good reviews for the app as we’re willing to pay for. Naturally we just ignored this, the app isn’t for public consumption, reviews don’t matter. A couple of weeks later I got another email from the same source as the first warning that without his services, our app could lose business. I checked in the play store and saw that there were dozzens of one star negative reviews with comments like, “Ruined my phone.”

Is this kind of thing common? Have any of you had an experience like this?

Woah didn’t know that! Hope things changed since that reddit post was written.

They very well might have. If one reads through the comments on that reddit, there is a mention of how google made it such that only plus accounts can review. Would have made it slightly more difficult for these characters to trash apps in this manner

This is a reason I’m iffy about publishing to iPhone, ever. I’m not saying Google Store is any better, necessarily, but I really think that the Apple market is unnecessarily toxic.

@AndrewGrayGames why you say that? I thought the Android market was considered the most toxic. I’m asking out of curiosity: I don’t know much about either (I mostly developed for PC/Mac until recently).

I had no problems with the iOS market, but that was some years ago.

–Eric

So, I’ve been researching the mobile market since I released my last project. What I’ve found out about the behaviors going on in the markets isn’t really too good.

Problem I: Flooded by Hacked Copies
Resources:
Copycats causing problems for iPhone App Developers (2009)
How App Store Grifters Clone an Overnight Success to make a quick buck (2013)*

*: Applies to the Android Market as well. The article is a good read.

Apparently, grifters are a huge problem in the mobile ecosystems. These leeches find promising apps, and sometimes just re-upload them after changing their metadata. Every now and then, a grifter will make a reasonably painstaking clone of an existing app, that will be uploaded.

Problem II: WORM! (or Virus, or Trojan. Whatever.)
Resources:
Free Android Antivirus Apps Fail to Cut It (2011)

While I haven’t managed to find many details about Apple’s products, the antivirus apps out there for Android are notoriously shoddy, and there was an article on Ars that I failed to find again, where the internal antivirus app that Google uses on newly uploaded apps failed to catch certain patterns of malignant software. You can’t rely on these companies to properly vet their software.

Speaking of…

Problem III: You Can’t Rely On These Companies to Properly Vet Their Software
A major complaint from many mobile game developers that I have seen on these very forums. As the process has apparently become more automated, some really rancid stuff gets through.

In theory I still want to publish to mobile, but the more I read and look for reasons not to, the more I find them. It’s not quite to the point of being a fractal of ‘you don’t want to do this’, but it seems like every day makes the app stores a less promising place to publish to.

It’s true that some other marketplaces face similar problems (Steam), so this isn’t isolated to ‘just mobile.’ But the lack of protection that goes on in what are marketed as walled gardens is pretty astounding. I’m not sure I should trust these companies with my app if they’re going to enable them to be grifted, filled with malware, and possibly used for much more malicious purposes.

Thanks for the detailed info and the interesting links @AndrewGrayGames . After reading I’m even more scared of posting my latest almost-finished game on mobile, considering some of my friends had their games cloned after a single week, even when they were just mildly successful and not a hit. Obviously I will post my game when it’s finished, because that’s what we do, but darn gosh.

Google/Apple should definitely do more, because as you and a lot of people are saying it seems they’re indeed not caring at all about protecting developers. Maybe I’m too naive, but I think that an important step would be that, in case a clone is found guilty and thus removed from the store, all the money it earned should go to the original game’s developer. That would be a pretty good deterrent.

This stuff is very common in online marketing. Companies do it with website marketing. Had a very similar thing happen to one of my sites several years ago. In this case they spammed links to my site all over blogs on the net. As a result I got complaints to my ISP and myself about spamming. In reality I never did it. What I had done was to not reply to one of the dozens of spam messages I got via the contact form on my site offering website promotion services. In fact I received a message worded very much like you describe. That without their help my site was at great risk. There are a lot of a-holes in the world.

@Demigiant , I don’t think that removing money from a grifter would be a very feasible idea, but I certainly agree that the app should be stricken from the store, and the Apple Developer’s License be revoked. Apple is in a position to prevent theft of a hardworking developer’s work, and ensure that our IPs are protected. They really need to assert themselves more in that regard.

And, before anyone can say, “yes, but it’s also true people will use this principle to attack works that are competing against them,” all Apple/Google has to do is what they claim to already make a point of: being the one who decides that. If your app does the same thing as some other guy’s, but has a vastly different setup/different source code? Then, it’s not a copy. If they compare two apps, and the UI is identical and most of the source code, then someone needs a ban.

is it possible to hide your contact during first week? if they cant contact you, they will quickly forget your game

The negative extortion bit aside I was quite shocked(although guess I shouldn’t have been) when I put my little kids game I made for my son on appstore and received emails from “marketing” companies with rates for buying positive reviews and stars. Opened my eyes a bit that a lot of those reviews are worthless.

I find it hard to believe that, of all the checks Apple makes during the app review process, none of them include “is the app’s binary identical to any binaries already in existence on the store?”

So, first thing first: I’m only researching the various app stores. I do not have a dev license on any of them, nor have I released anything into those ecosystems, first. Just re-throwing that out there to prevent confusion.

However…yeah, I agree. If 90%+ of the binary is the same as someone else’s, I’d definently agree it’s a ripoff. I find it hard to believe that no one at Apple or Google reads these tech magazines, and learns of these sorts of scams going on. They don’t help the companies or the ecosystems. (I’m referring to the extortion tactics and the grifting.)

EDIT: I really think the problem with the App Store - both the extortion, the grifting, and the malware - is all coming from one source: Apple not paying nearly enough attention to the goings-on around their walled garden. I’d actually liken it to a siege in the Middle Ages, really; you’ve got the extortionists mining under the walls, the malware being delivered as ‘gifts’ to the vanquishers, more often than not in the form of grifted apps that, because the guards are sleeping on the job, are getting through.

I originally throught I was being extremely off-topic, but really, it all comes down to the same core issue: the Apple (and Google) app stores are not as well-controlled as they market. It’s really a nasty place to do business.

Alas, it’s not that simple, and Unity is a perfect example. How similar do you think the binaries for a pair of simple games made in Unity may be? I can easily imagine a circumstance where the unique content/scripts for a game may be less than 10% of the deploy size. And if you’re making an app that’s less content dependent, and using open source libraries… it could easily appear to be almost entirely pillaged - how much glue/UI code do you think there’d be compared to what’s in the off-the-shelf libraries?

Plus, I’m sure it’d be easy enough to do some sort of scrambling to stop many things from being recognised compared to its source. For instance, you could simply change formats, re-compress or encrypt things for a minimal effort, user-transparent modification that significantly changes the stored data. (Though that’s no reason not to check for actually identical stuff, or say >99% identical stuff, with human checking of flagged matches.)

Thanks for this

I used to be active in the running of one or two websites, though none of those sites became significant enough to get the attention of these thugs, so I was not that aware of this problem. So I did a little bit of reading up.

Here are some quick tips for anyone reading this thread at a later date

The dubious practice is called SEO extortion. (Google)

A lot of sites document this thing. It consists of a threatening email that mostly looks like this template email

Excerpt:
Hello,
Read this email very carefully.
This is an extortion email.
We will do NEGATIVE SEO to your website by giving it 20,000 XRumer forum profile backlinks (permanent & mostly dofollow) pointing directly to your website and hence your website will get penalised & knocked off the Google’s Search Engine Result Pages (SERP) forever, if you do not pay us $1,500.00 (payable by Western Union).

The remedies you can take according to these sites is

1. Monitor your webmaster account frequently
2. Disavow suspicious links
3. Report these kind of emails immediately to Google.

I have no idea how much this helps because like I said I have not faced this problem due my very little experience in running a website but it IS a big enough problem to provide 183000 results on google search.

More info and sources for above at
http://www.getfoundquick.com/google-bowling-and-seo-extortion/
http://www.longtermfix.com/negative-seo-attempting-extort-website-owners/
http://searchengineland.com/google-responds-mass-negative-seo-extortion-emails-200689

EDIT: More info on this ‘XRumer’
http://en.wikipedia.org/wiki/XRumer

You can take this another direction as well: Sometimes two binaries for the same game with only a minor change can be so different as to prevent simple patching.

Until recently, a game I played was requiring a complete download of the entire game binary every time they made even the slightest change. This was because of how their game engine compiled everything together. There was no “patch this small change” possibility because any small change would cause radical changes to the entire structure of the download.

To me this means that if some game engines do this naturally, anyone who is stealing an existing game and posting it again can easily bypass any check of uploaded binaries.

The app copying gets even more complicated when you start thinking about non-custom art. If I purchase a pre-made UI on the Asset Store, how do I prove another app is ripping me off instead of just using that same pre-made UI? What if I’m using various script packages as well? I’m sure it’s possible to prove the theft, but it gets that much harder and that much more costly.

From the perspective of whatever marketplace the apps are going up on, even trying to compare the clones and the copies to see what are valid and what cross the line into outright theft is probably not cost effective. Considering how little money most apps make (basically $0), for a marketplace to have an employee spend even 10 minutes looking at every app means most apps posted cost the marketplace more money than they will ever earn.

Even paying a programmer to somehow develop analysis software that can tell when one app rips off another isn’t necessarily a cost effective solution. You’d also end up paying someone else to sort through potential false positives, then paying someone to deal with whatever steps the marketplace wants to take, and then dealing with appeals to the process.

YouTube and Twitch have it easy with looking for music because they’re just pattern matching, yet look at how many false positives both of those services have gone through.

Ultimately, I think we need a better system than we have now, I just do not believe we’re going to get it as long as the basic app price is $0 and the common end user just doesn’t care. There are currently court cases in the U.S. which are debating what exactly “cloning” entails or allows under copyright law, and that may ultimately be what forces the various marketplaces to start paying more attention to the garbage that is being posted.

Or they could go back to charging a posting fee for every app and using that money to pay for a real review process. I think a lot of independent developers will be opposed to that though.

Plus, it’s not actually Apple’s/Google’s problem, it would cost a lot to implement this stuff, it would gain them little, and could perhaps (I don’t know… I guess Youtube does ok) open them up to a lot of liability if they tried (people complaining when they failed to make a correct match on stuff actually stolen, and other people complaining about false positives).

A few years ago I received one of those pay-4-reviews email and pasted it (w/full headers) into an Apple bug report with security as the type. An Apple engineer replied, thanking me for the report but it wasn’t a security problem however he would pass it along to the appropriate group. Pretty sure I’ve also contacted Apple through the app review team (before they changed the iTunes Connect site).

Sorry, no info on Google and this is the first I’m hearing of the extortion side of it. Pretty discouraging

@GregMeach @AndrewGrayGames

I don’t think its a huge enough problem yet.

@AndrewGrayGames , I don’t think this factor should significantly deter you from even putting your app at the appstores. The clones factor, I dunno. I think if you are creative enough, people always want the original. The dude who only clones stuff and can’t make things himself will eventually become boring.

From what I have been able to make out so far, it is not a huge problem yet. At the present time there is a lot of operators offering to put positive ratings - Cash for ratings. This extortion business, though it does exist is not so widely prevalent yet.

I think its more a question of being aware of the problem and being prepared to deal with if and when its hits your app