★ TouchArcade needs your help. Click here to support us on Patreon.

Developers - be careful out there!

03-11-2014, 06:20 AM
#1
Joined: Oct 2013
Posts: 34
Developers - be careful out there!

Hi guys,

I wanted to share a harrowing experience I have recently had. This is mainly aimed at developers/app creators just starting out.

I posted a thread recently saying that I had 11,000 downloads on my chat application inside a month. At that point my app had done exceptionally well.

However, a week ago, some hackers decided to make my life hell as a consequence of exposing some security flaws in it.

I can only say that what happened next has been a quite stomach churning experience. My app and my name have become infamous rather than famous, its been all over the net. Some examples are here:

http://aol.it/PnB8S6
http://bit.ly/1qsdx0n
http://zd.net/1cMt5sq

Plus my app went viral over twitter and I received messages of hate and resentment, even people wishing me death. My twitter and godaddy accounts were hacked and I only resumed control of the latter yesterday after 3 days of being locked out. Twitter have not even bothered to do anything about my account.

So I have learnt a very valuable lesson, keep security of user information at the very top of your agenda or face a very harsh lesson.

Suppoman
03-11-2014, 06:30 AM
#2
I think your biggest mistake was to threaten the person who contacted you. You could just have assured him that you will fix it as a first priority and this would never have blown up.

Then you should have tried to fix the bug immediately.

Whenever an irate customer contacts, always be nice.

IronCode Gaming
Developers of Angkor, Riotball and More!
Like Us on Facebook: https://www.facebook.com/Ironcode.Gaming
Follow Us on Twitter: https://twitter.com/Ironcode_Gaming

03-11-2014, 07:25 AM
#3
Joined: Oct 2013
Posts: 34
He wasn't an irate customer. He wanted to make a name for himself.

He published his full disclosure on the internet without getting in contact with me via the support email address which is on the app or my app email address which is on my website.

Furthermore he went on to instigate the hacking events that took place.

If he had contacted me first it would have been a different story.
03-11-2014, 08:32 AM
#4
Joined: Jul 2012
Location: Norway
Posts: 159
"How Snapchat imitator Puffchat managed to do everything wrong
Summary: Early this week Snapchat imitator Puffchat threatened a hacker for disclosing serious security holes and fallacies in the app's privacy claims. As expected, things aren't going well for Puffchat's arrogant founder."

1) I don't think you (or anyone) deserves getting hate mails and threats.

2) I do sympathise with the grief you must have when you read stuff like that about yourself. Probably not what you hoped for when releasing the app.

3) Security issues should always be adressed without getting defensive. My suggestion is just lay down flat and take responsibilities, it works for politicans all over the world for a reason. Those who get too stubborn, in denial or refuses to accept the reponsibilities, often find themselves in a worse and worse situation. admit it (whatever 'it' is), say you are sorry for compromising users trust, and that you are working day and night for a solution.
03-11-2014, 12:30 PM
#5
Joined: Jun 2013
Location: Kingston, ON
Posts: 18
Forgive me if I'm wrong, but were you passing the link to the image stored on the server in plain text? Or were you at least using MD5 or a similar hashing algo (preferably then also using a private key/salt or what have you).

The backlash doesn't seem to have much to do with the lack of security, more so with the fact that you claimed it was secure and then when a "hacker" (let's be honest, this wasn't some expert blackhat) exposed security flaws, you actually blamed them. Yes, the hacker should have brought the issues to your attention privately, but it still seems you handled the situation in just about the worst way imaginable.

Nevertheless, thank you for sharing your valuable and hard-learned lesson with the community. Hopefully many will learn from this and avoid making similar mistakes with security of user data.

Goodluck going forward, I hope you're able to bounce back from this hiccup!
03-11-2014, 06:11 PM
#6
Joined: Nov 2013
Location: London
Posts: 57
You know the old saying, there is no such thing as bad publicity! This media frenzy has brought your app to a huge number of people who would never have otherwise heard of it. Now you need to turn the crisis into an opportunity...
03-12-2014, 03:47 AM
#7
Joined: Oct 2012
Posts: 734
Ok so you should never receive death threats or harassment for any app (well they should at least wait until you are earning 50k a day).

Lets face it you made a shoddy messaging app with absolutely no thought to users data security. You will now find that trying to upgrade the security to even a reasonable standard will cost more than it did to make the app. And now your going to be on every hackers hit list so when that "New Update" is realised with improved security you better make sure its bullet proof as it would be a great story to run if your new update is hacked with 5 mins of it being uploaded.

Not a good idea to threaten to sue somebody for no reason especially as you don't have the 100k needed to stage a defamation case that you would lose. I would be more worried about users suing you for breaches in the data protection act.

Having said that Simpleinteractive is right, there is no such thing as bad publicity and for a short window whatever you say will get media traction. You could turn this into a positive!! A public apology to the hacker would be a start!


I would also like to reiterate Broxxars comment and thank you for being honest here this is a great lesson that all developers should take note of.

Hope you can find a silver lining!

Last edited by ThreeCubes; 03-12-2014 at 04:02 AM.
03-12-2014, 05:10 AM
#8
Joined: Mar 2014
Location: Chicago
Posts: 8
Agree with the general sentiment here - you promised a secure app and it had almost no security. Don't shoot the messenger.

Still, I find a poetic justice in that the "wronged" consist largely of vacuous kids looking for a way to secretly send pictures of their junk. In fact, that probably guarantees that you won't get sued by a customer.
03-14-2014, 02:01 PM
#9
Joined: Dec 2012
Location: La Habra Hights, California
Posts: 55
First off, my heart goes out to you superman. You're in a tough spot, no question.

I'd be curious to hear more of this community's opinion on this specifically:
Any publicity is good?

In some casual, hypothetical, conversational sense I agree. But in a humbling yet severe case like this, would fighting that battle even be worth the effort and anguish?
I simply don't know if I would fight on, or start from scratch.

Blind Albino mixes art, humor, and technology right into the palm of your hand. Enjoy!
03-17-2014, 10:24 AM
#10
Quote:
Originally Posted by BlindAlbino View Post
First off, my heart goes out to you superman. You're in a tough spot, no question.

I'd be curious to hear more of this community's opinion on this specifically:
Any publicity is good?

In some casual, hypothetical, conversational sense I agree. But in a humbling yet severe case like this, would fighting that battle even be worth the effort and anguish?
I simply don't know if I would fight on, or start from scratch.
If you can turn it around into a positive any news is good news, but this dev shot himself in the foot by acting like a bully.

Imagine if, upon the news being published, the dev shot the reporters a quick "we're working on it, it's our highest priority" line, fixed the issue(s) then sent out a press release stating, "Yes, there was a flaw in our security, but we've fixed it, now you're EVEN MORE secure than before!"

Looking for a writer? PM me

Game Designer of:
Family Feud 2 My First Huge Apple Feature!
Pickpawcket
And a bunch of other games you've never heard of!