Monday, January 9, 2012

Hoisted by my own petard: or why my app is number two (for now)

I have to admit that I have taken some small pride in the fact that my app, Yoga-pedia, has been the number one yoga app on the Windows Phone marketplace since its debut over the summer. Imagine my surprise when I checked the marketplace today and found another yoga app in the lead!

Of course I had to know what made this app so special and so I clicked through to check out the competition. OK, the cover art shows a barely clad buxom brunette in some faux pose – “it’s one of those apps” I said to myself; those soft-core apps that are all about titillation and little else.

Needing to satisfy myself that I had this app pegged, I quickly scanned the description… what’s this!? “No matter what your issue, there is most probably a pose for that” – that’s my line (after all, my paid app is “A Pose for That”). My eyes dropped to the screen shots – no way! – Other than the home page, the screen shots were lifted right out of my app!

This free app included the four yoga instruction videos only included in my paid app. Just to be clear, these videos feature my wife as the instructor, I filmed the videos (and even composed and recorded the music).

I’d been beaten by my own content!

Two things happened in quick succession; first, I got really pissed; and then I was awash in a flood of questions…

  • Who the F#$! is behind this? (and please let me meet them one day)
  • How did they do this? (and is there something I could have done to prevent it?)
  • What can I do about it? (and how much of my time is this going to suck up?)
  • Is this a common problem (if so, why haven’t I heard about this before?)
  • Why did they do this? (they don’t show ads and the apps are free)
  • What other apps does this publisher have? (and are they also stolen?)
  • And do I tell my wife? (because she is going to be even more pissed than me)
Who’s behind it? Well, I can’t say for sure – the company name has no other reference on the web that I could find – but they’re out of China and I am working on a few leads…

How did they do it? I believe they downloaded the XAP from the marketplace and while they couldn't take my code (it’s not in their app), they definitely lifted my resources (they are named identically to mine including spelling mistakes). Obfuscation/encryption can protect the code – but did nothing to shield my external resources (like the videos).

What can I do about it? Microsoft has an established process that I have initiated – I’ve been led to believe that they will act swiftly given the unequivocal evidence I was able to develop. If this is all there is to it, Microsoft has made the process straightforward (I will post more if it’s more involved).

Is this a common problem? I have no idea – can someone else share?
Why did they do it? I really don’t know – BUT the pirated version of the app uses
  • music and video library
  • phone identity and
  • data services
There is no reason to use these services to play my four simple videos – is this malware? Phishing? What are they doing with this app? I’ll have to take a closer look – I expect (hope) Microsoft will too.

What other apps does this publisher have? Some over-the-top soft-core apps and a collection of language apps – I suspect all of these are “resource-heavy” with little or no exposed app logic (so they are all stolen) – they are driving adoption for sure – but to what end?

And, last but not least, do I tell my wife? Well, of course I did and, yes, she is pissed – especially when I explained that there is no way we are suing anyone in China for copyright infringement.

At the time of this posting, the offending app is still live - but to be fair, it’s been 5 hours since I discovered the app, 4 ½ hours since I first contact Microsoft, 3 ½ hours since Microsoft gave me the contacts and process to begin the take down process, and 2 hours since I initiated the process.

I’m coming for you Ryan! (and you'd better hope that I get to you before my wife does)


The offending app has been taken down by Microsoft. It took 24 hours and, as I tweeted earlier, given the legal hoops I'm sure Microsoft had to jump through, I think that's pretty good.

On the other hand, the bad actor, Ryan Lan AG, still has 10 apps on the marketplace. I think publishers who so blatantly abuse their fellow publishers should be blacklisted. ...but that's just me. Ryan - you want to man-up and identify yourself?


Anonymous said...

I presume the data and phone identity is for analytics. Music? Maybe that's a feature that's been added. I really hope you get the ripoff pulled down.

Rene Schulte said...

I hope that fake copy of your app gets pulled down quickly.
Why does this always happen with China? I know it's a cultural thing, but man that sucks.
I know that feeling just too well. My quite successful apps were cracked, translated to Chinese (!) and the XAPs were hosted at some Chinese forums. This happened 2 days after I released a huge update for my Pictures Lab app for example. :(

I see you are the CMO of PreEmptive. Maybe it's a targeted attack to show that Obfuscation is no full solution at all? You guys and MS were saying that obfuscation protects an app, but me and others always knew it's only half of the job.
Only the highest level of obfuscation really helps, but that kills the performance, so it's a no go for performance critical apps. And as you experienced yourself, assets like audio, images, video, string resources (translated text) and most important XAML aren't protected by obfuscation at all.
MS finally needs to enforce the higher protection of the XAPs. I hope you as a MS partner can help to push MS so they finally enforce the better protected XAPs.

BTW, since you are the CMO of PreEmptive some might speculate this here is probably a marketing stunt. You can develop a nice story out of this. Your code was protected and the app that has stolen your assets, the only non-protected part by Dotfuscator, gets quickly pulled down by MS. A happy end.
Don't get me wrong, I don't think you are doing this here, but some people might just speculate.

All the best for you and your apps. I hope it all ends well.

- René Schulte @rschu

AppsRpeople2 said...

To Anonymous - The app plays 4 videos - that's it. There is no music and there is no standard analytics that i could find.

AppsRpeople2 said...

Rene, it never dawned on me that anyone would consider this as a "marketing stunt". First, it would have to be a positive story (and it's not) - the only way to have avoided this would have been to stream the videos from the cloud rather than include them as resources (so the Azure evangelists may have an angle here). ...and there's also the little detail that we don't actually charge for Dotfuscator on WP7 - we give it away at no cost.

Is there irony here? Perhaps - but i don't really see it. Lastly, your comment that obfuscation is "half a job" is like saying seat belts and smoke detectors only do "half a job" because people still get injured in accidents and fires (nor does obfuscation always impact performance) but that's a whole other thread and not at all the topic at hand.

Bottom line - this is an exploit that i had not seen before and i wanted to share it with the community for the "greater good". Please don't be so cynical.

Anonymous said...

Wow, I'm sorry to hear this about your app. @rschu described his thoughts on the issues involved but I'm curious to what Preemptive and Microsoft think on the subject too. Are there solutions for this (besides streaming content) and do these problems exist as blantantly on Android and iOS?

Rene Schulte said...

I apologize if you got the impression my comment was cynical Sebastian. It wasn't my intent. Really! I just wanted to give a comment how this might be seen from the outside.

I mentioned Dotfuscator cause I remember you and MS are always telling WP7 devs they should use it in order to protect their IP. And now your IP was stolen.
BTW, you know that giving something away for free, doesn't mean you're giving it away without any benefit. ;)

As a CMO you were always very vocal about the usage of Dotfuscator and I didn't know you draw that line here. It's OK if this case described above should not be linked to your job as PreEmptive CMO.

My comments are not meant to be cynical and I'm sorry if you got that impression. As I wrote before, I'm also affected by WP7 piracy and can feel your pain. MS finally needs to enforce the improved XAP protection.
I hope you can get it sorted out and that crap app gets pulled down very quickly. I actually had hoped it is already down. :(
All the best. Please keep us updated.

- René Schule @rschu

AppsRpeople2 said...

OK - thanks for your clarifications Rene; they are appreciated.

A couple of quick points - obfuscation protects IP in code and is not intended to protect IP in media, which is the class of IP that has been stolen from me. The design of my app, the logic (of mapping poses to symptoms), the streaming of a daily audio lesson, etc. has not been stolen. In this particular scenario, obfuscation has not been found wanting - but it is a good lesson for anyone who relies upon media and has a false sense of security because of how they've protected their code.

Now, having said that, I am positive that if hackers saw enough value in the IP within my code, they would find a way to it (with or without obfuscation). Their investment in cracking (and therefore the required investment to protect myself) is directly proportional to the value being secured (that's why banks need more security than dry cleaners).

And this speaks to the last "anonymous" post as well - he/she asks if there are technologies that can protect media resources. Of course - media companies, gaming companies, etc. employ them all of the time - none of them are perfect and they get progressively more onerous in proportion to their sophistication.

Do iOS and Android have the same issues? Of course (not identical - but analogous) because criminals follow the money... (that's also why PCs have more viruses then Macs - its not that Macs are more secure - its that there is less opportunity for hackers on macs than on PCs.

In any case, thanks for the second note and i will let everyone know when the "Bad APP" is off of the MSFT marketplace.

Paras Wadehra said...

Hi, can you please explain what was the process to contact Microsoft to remove this pirated app from the marketplace?

AppsRpeople2 said...

Paras - email - they have a form that you fill out. Good luck.