Rogue app: Syn for iPhone slips through Apple review process

April 10, 2012

I got some annoying app requests on Facebook from this one app. They came via friends that I know click on too many apps and games, so I ignored them. Yesterday I saw a post about this very app called Syn on the Dutch iPhoneclub, where it was deemed a spam app. Worse, somehow it had made it to the number one position in the paid top 10 of all apps, in spite of an average rating of 1 star (!). My first reaction was that the company behind the app, Falkor, inc must have hired some shady firm to boost downloads to get that high in the ranking. But so many people complained about spam, I thought let’s dig deeper and do some research.

Syn asking for Facebook credentials

Syn asking for Facebook credentials

First, it’s a paid app (0.79 euro, $1), so reluctantly I had to pay. To make sure I would not hinder too many friends I created a new FB account that only myself friended. To see what traffic was sent down the wire, I used my favorite sniffer tool Charles, and set up my iPhone to use it. After installation the first screen already raised my suspicion: it asked for my Facebook credentials. With oAuth being the standard now, this is a clear violation of Facebook Platform policies: no collection of username and/or password. With Charles I could see what was done: Syn logged you in directly onto Facebook, which surprises me was possible. After comparing HTTP traffic with that of the Facebook iOS app itself, it turned out that Syn used precisely the same endpoint to login (https://api.facebook.com/restserver.php), and FB’s own API key (haha).

After logging in with my FB credentials, it downloaded my only friend (myself), and offered to sync the info to my address book on my iPhone. Right after I confirmed, I got an app request on Facebook. Clicking on the app request did only one thing: after a redirect via falkor.com the iTunes app was opened, deep linking to the Syn app.

So yes a rogue app. Facebook credentials are used in an illegal way, friends are spammed with a link to download the app. I suspect too many FB users are gullible and just click on an app request from a friend. I was looking if my address book was uploaded to the Falkor servers, that didn’t happen. So for sure Facebook should do everything it can from stopping this app by this shady company (web site lists another product called Spyder, a MySpace friend added bot). Apple also should have stopped this app, although strictly speaking the only violation I could see is tricking users to spam friends via Facebook.

The main thing Apple did wrong here is the top 1 position in the iTunes App Store, in spite of the average rating of 1 star. Apple is just asleep at the wheel, anybody can spot something is wrong. Fake or accidental downloads by tricked users gave it this nr 1 ranking, and this shows how broken the algoritm is. As I said before, we expect better from our beloved Apple.

Update 1 (4/18/2012):

I just tested the new version of Syn, version 1.0.2. Still it uses your Facebook credentials directly, which makes it still violate FB’s policies. I don’t understand why Facebook hasn’t blocked this app yet. On a positive note, it now asks for permission to spam your friends. The message is more like begging for money (see to the right). Still I would not recommend using this app.

Update 2 (4/25/2012):
I got notice from Facebook that they reviewed my report and subsequently have shut down the Facebook app.

Update 3 (4/26/2012):
And Apple has removed Syn from iTunes app store.

Dirk de Kok

Posts

22 responses to Rogue app: Syn for iPhone slips through Apple review process

  1. I don’t know the app in question, but if you are looking for a contact sync app that do not create it’s own address book and do not spam your friends by it self maybe uptact is for you. I use it my self and a lot of my friends do. The best part of it is that its free and so are the contact updates.

  2. Great testing, and explanation of how it works. It’s hit the number 1 top paid app in Australia too.

    In regards to your comment ‘Apple is asleep at the wheel’ -they’re not. The app charts I presume are dynamically based on sales… and if an app is selling, which that app is, it will rightly so hit the number one spot. Otherwise they wouldn’t be true top paid app charts would they?

    Cr@iG

    • Well, letting an app with an average rating of 1 star take first position is a flaw in the algoritm, second if only downloads (or revenue) dictate ranking you should still take out an app with such a low rating and reviews that say it is a spam app. Problem is, users discover apps primarily through top 10’s.This will drive more downloads, bad experience, low ratings and tarnish the Apple brand.

  3. Neat article. Thanks for testing it out. I wanted to test it out and see how the average person without knowledge of this being a spam app falls into the trap, but since you did, I don’t have to drop a U.S. dollar. I did put a post up on my blog yesterday about Syn and what it really does but now I can revamp part of the post to add more detail(I will give you credit for that part).
    As for what Craig said, there is a scammer(mabye more)out there that contacts developers asking them if they want to pay so much to have their app downloaded and 5 star reviewed so many times. So yes, technically it is a top paid app… with unfair stats.
    Apple has said they grown upon this and will not tolerate it but I’m questioning that as this app has been on the American app store since April 2.

  4. The part where it says “do muc” is sopposed to be “so much”

  5. Great analysis – the security warning has been added to TrustR.

  6. Looks like it was updated today. No more spam as it now asks you if you want to send the requests to your friends and you can opt-out of it. If you do decide to send the requests it brings up a list of your friends to choose, haven’t seen that before.

  7. I’ve just downloaded Syn and all of my facebook contacts have synced to my iphone address book so i have over 700 contacts. How can i revert this? Whats the best way to remove them all?

  8. @dirk is it worth getting with the new update?

  9. Just because a different app uses a web view doesn’t mean it can’t see what your password is.

    • hey Danielle, I finally figured out you are related to Falkor, the company behind Syn. Why don’t you be open about that? I would say you are trying to make the app less spammy, so tell more about that.

  10. hi.. thanks for the information..
    i had downloaded the app a few weeks back and had logged into it but never synced the data.
    is it possible for them to access my information, the is my facebook data, and phone data?

    • as long as the app is installed and you run it, they can access your phone data and your Facebook data. I have not seen evidence of Syn sending information to their own servers, it all happens in the iOS app. So I would delete the app from your phone. Facebook has deleted the Facebook app, so on Facebook there should not be any trouble anymore.

  11. Hi there,
    Interesting article.
    Seems like ‘Syn’ app is back in the Apple store.
    Do you have any news / update about that? Is it still a Rogue App?

Trackbacks and Pingbacks:

  1. Bestverkochte Nederlandse iPhone-app blijkt spammachine - iPhoneclub.nl - April 10, 2012

    […] van Syn en begrijpt niet waarom Apple deze app heeft goedgekeurd. Zijn testervaringen vind je hier: Rogue app: Syn for iPhone slips through Apple review process.Tipgever: Bubbly OA_show('Single – 468×60 – Post End');function […]

  2. Here’s why the Facebook iOS app is so bad (UIWebViews and no Nitro) | Mobtest blog - May 14, 2012

    […] HTML and UIWebviews without Nitro Javascript engine I did some network sniffing (I like sniffing ) and found out that the data that the iOS app downloads from facebook.com is a mixture of REST (XML […]