Support our Sponsors:

Go Back   Touch Arcade > Developer Discussion > Public Game Developers Forum

Reply
 
Thread Tools Display Modes
  #1  
Old 03-11-2014, 06:20 AM
suppoman suppoman is offline
Member
 
Join Date: Oct 2013
Posts: 34
Default Developers - be careful out there!

Hi guys,

I wanted to share a harrowing experience I have recently had. This is mainly aimed at developers/app creators just starting out.

I posted a thread recently saying that I had 11,000 downloads on my chat application inside a month. At that point my app had done exceptionally well.

However, a week ago, some hackers decided to make my life hell as a consequence of exposing some security flaws in it.

I can only say that what happened next has been a quite stomach churning experience. My app and my name have become infamous rather than famous, its been all over the net. Some examples are here:

http://aol.it/PnB8S6
http://bit.ly/1qsdx0n
http://zd.net/1cMt5sq

Plus my app went viral over twitter and I received messages of hate and resentment, even people wishing me death. My twitter and godaddy accounts were hacked and I only resumed control of the latter yesterday after 3 days of being locked out. Twitter have not even bothered to do anything about my account.

So I have learnt a very valuable lesson, keep security of user information at the very top of your agenda or face a very harsh lesson.

Suppoman
Reply With Quote
  #2  
Old 03-11-2014, 06:30 AM
Ironcode Ironcode is offline
Member
iPad 2, iOS 7.x
 
Join Date: Oct 2013
Location: India
Posts: 36
Default

I think your biggest mistake was to threaten the person who contacted you. You could just have assured him that you will fix it as a first priority and this would never have blown up.

Then you should have tried to fix the bug immediately.

Whenever an irate customer contacts, always be nice.
Reply With Quote
  #3  
Old 03-11-2014, 07:25 AM
suppoman suppoman is offline
Member
 
Join Date: Oct 2013
Posts: 34
Default

He wasn't an irate customer. He wanted to make a name for himself.

He published his full disclosure on the internet without getting in contact with me via the support email address which is on the app or my app email address which is on my website.

Furthermore he went on to instigate the hacking events that took place.

If he had contacted me first it would have been a different story.
Reply With Quote
  #4  
Old 03-11-2014, 08:32 AM
expleo's Avatar
expleo expleo is offline
Developer
iPad (3rd Gen), iOS 7.x
 
Join Date: Jul 2012
Location: Norway
Posts: 148
Default

"How Snapchat imitator Puffchat managed to do everything wrong
Summary: Early this week Snapchat imitator Puffchat threatened a hacker for disclosing serious security holes and fallacies in the app's privacy claims. As expected, things aren't going well for Puffchat's arrogant founder."

1) I don't think you (or anyone) deserves getting hate mails and threats.

2) I do sympathise with the grief you must have when you read stuff like that about yourself. Probably not what you hoped for when releasing the app.

3) Security issues should always be adressed without getting defensive. My suggestion is just lay down flat and take responsibilities, it works for politicans all over the world for a reason. Those who get too stubborn, in denial or refuses to accept the reponsibilities, often find themselves in a worse and worse situation. admit it (whatever 'it' is), say you are sorry for compromising users trust, and that you are working day and night for a solution.
Reply With Quote
  #5  
Old 03-11-2014, 12:30 PM
Broxxar Broxxar is offline
Junior Member
iPad (3rd Gen), iOS 7.x
 
Join Date: Jun 2013
Location: Kingston, ON
Posts: 18
Default

Forgive me if I'm wrong, but were you passing the link to the image stored on the server in plain text? Or were you at least using MD5 or a similar hashing algo (preferably then also using a private key/salt or what have you).

The backlash doesn't seem to have much to do with the lack of security, more so with the fact that you claimed it was secure and then when a "hacker" (let's be honest, this wasn't some expert blackhat) exposed security flaws, you actually blamed them. Yes, the hacker should have brought the issues to your attention privately, but it still seems you handled the situation in just about the worst way imaginable.

Nevertheless, thank you for sharing your valuable and hard-learned lesson with the community. Hopefully many will learn from this and avoid making similar mistakes with security of user data.

Goodluck going forward, I hope you're able to bounce back from this hiccup!
Reply With Quote
  #6  
Old 03-11-2014, 06:11 PM
simpleinteractive simpleinteractive is offline
Member
iPad mini
 
Join Date: Nov 2013
Location: London
Posts: 57
Default

You know the old saying, there is no such thing as bad publicity! This media frenzy has brought your app to a huge number of people who would never have otherwise heard of it. Now you need to turn the crisis into an opportunity...
Reply With Quote
  #7  
Old 03-12-2014, 03:47 AM
ThreeCubes's Avatar
ThreeCubes ThreeCubes is offline
Senior Member
 
Join Date: Oct 2012
Posts: 732
Default

Ok so you should never receive death threats or harassment for any app (well they should at least wait until you are earning 50k a day).

Lets face it you made a shoddy messaging app with absolutely no thought to users data security. You will now find that trying to upgrade the security to even a reasonable standard will cost more than it did to make the app. And now your going to be on every hackers hit list so when that "New Update" is realised with improved security you better make sure its bullet proof as it would be a great story to run if your new update is hacked with 5 mins of it being uploaded.

Not a good idea to threaten to sue somebody for no reason especially as you don't have the 100k needed to stage a defamation case that you would lose. I would be more worried about users suing you for breaches in the data protection act.

Having said that Simpleinteractive is right, there is no such thing as bad publicity and for a short window whatever you say will get media traction. You could turn this into a positive!! A public apology to the hacker would be a start!


I would also like to reiterate Broxxars comment and thank you for being honest here this is a great lesson that all developers should take note of.

Hope you can find a silver lining!

Last edited by ThreeCubes; 03-12-2014 at 04:02 AM..
Reply With Quote
  #8  
Old 03-12-2014, 05:10 AM
Snovi Snovi is offline
Junior Member
 
Join Date: Mar 2014
Location: Chicago
Posts: 7
Default

Agree with the general sentiment here - you promised a secure app and it had almost no security. Don't shoot the messenger.

Still, I find a poetic justice in that the "wronged" consist largely of vacuous kids looking for a way to secretly send pictures of their junk. In fact, that probably guarantees that you won't get sued by a customer.
Reply With Quote
  #9  
Old 03-14-2014, 02:01 PM
BlindAlbino BlindAlbino is offline
Member
iPad 2, iOS 6.x
 
Join Date: Dec 2012
Location: La Habra Hights, California
Posts: 55
Default

First off, my heart goes out to you superman. You're in a tough spot, no question.

I'd be curious to hear more of this community's opinion on this specifically:
Any publicity is good?

In some casual, hypothetical, conversational sense I agree. But in a humbling yet severe case like this, would fighting that battle even be worth the effort and anguish?
I simply don't know if I would fight on, or start from scratch.
Reply With Quote
  #10  
Old 03-17-2014, 10:24 AM
Blackharon's Avatar
Blackharon Blackharon is offline
Developer
iPad (4th Gen), iOS 7.x
 
Join Date: Mar 2010
Location: Canada
Posts: 852
Default

Quote:
Originally Posted by BlindAlbino View Post
First off, my heart goes out to you superman. You're in a tough spot, no question.

I'd be curious to hear more of this community's opinion on this specifically:
Any publicity is good?

In some casual, hypothetical, conversational sense I agree. But in a humbling yet severe case like this, would fighting that battle even be worth the effort and anguish?
I simply don't know if I would fight on, or start from scratch.
If you can turn it around into a positive any news is good news, but this dev shot himself in the foot by acting like a bully.

Imagine if, upon the news being published, the dev shot the reporters a quick "we're working on it, it's our highest priority" line, fixed the issue(s) then sent out a press release stating, "Yes, there was a flaw in our security, but we've fixed it, now you're EVEN MORE secure than before!"
Reply With Quote

Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Copyright 2012, TouchArcade.com, LLC.

Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.
Copyright 2008 - 2011, TouchArcade.com. Privacy Policy / DMCA Copyright Agent