I got some annoying app requests on Facebook from this one app. They came via friends that I know click on too many apps and games, so I ignored them. Yesterday I saw a post about this very app called Syn on the Dutch iPhoneclub, where it was deemed a spam app. Worse, somehow it had made it to the number one position in the paid top 10 of all apps, in spite of an average rating of 1 star (!). My first reaction was that the company behind the app, Falkor, inc must have hired some shady firm to boost downloads to get that high in the ranking. But so many people complained about spam, I thought let’s dig deeper and do some research.
First, it’s a paid app (0.79 euro, $1), so reluctantly I had to pay. To make sure I would not hinder too many friends I created a new FB account that only myself friended. To see what traffic was sent down the wire, I used my favorite sniffer tool Charles, and set up my iPhone to use it. After installation the first screen already raised my suspicion: it asked for my Facebook credentials. With oAuth being the standard now, this is a clear violation of Facebook Platform policies: no collection of username and/or password. With Charles I could see what was done: Syn logged you in directly onto Facebook, which surprises me was possible. After comparing HTTP traffic with that of the Facebook iOS app itself, it turned out that Syn used precisely the same endpoint to login (https://api.facebook.com/restserver.php), and FB’s own API key (haha).
After logging in with my FB credentials, it downloaded my only friend (myself), and offered to sync the info to my address book on my iPhone. Right after I confirmed, I got an app request on Facebook. Clicking on the app request did only one thing: after a redirect via falkor.com the iTunes app was opened, deep linking to the Syn app.
So yes a rogue app. Facebook credentials are used in an illegal way, friends are spammed with a link to download the app. I suspect too many FB users are gullible and just click on an app request from a friend. I was looking if my address book was uploaded to the Falkor servers, that didn’t happen. So for sure Facebook should do everything it can from stopping this app by this shady company (web site lists another product called Spyder, a MySpace friend added bot). Apple also should have stopped this app, although strictly speaking the only violation I could see is tricking users to spam friends via Facebook.
The main thing Apple did wrong here is the top 1 position in the iTunes App Store, in spite of the average rating of 1 star. Apple is just asleep at the wheel, anybody can spot something is wrong. Fake or accidental downloads by tricked users gave it this nr 1 ranking, and this shows how broken the algoritm is. As I said before, we expect better from our beloved Apple.
Update 1 (4/18/2012):
I just tested the new version of Syn, version 1.0.2. Still it uses your Facebook credentials directly, which makes it still violate FB’s policies. I don’t understand why Facebook hasn’t blocked this app yet. On a positive note, it now asks for permission to spam your friends. The message is more like begging for money (see to the right). Still I would not recommend using this app.
Update 2 (4/25/2012):
I got notice from Facebook that they reviewed my report and subsequently have shut down the Facebook app.
Update 3 (4/26/2012):
And Apple has removed Syn from iTunes app store.