How to go from zero to 400,000 push notifications in one day (opens in new tab)

(islandofdoom.com)

16 pointsMProgrammer13y ago11 comments

11 comments

Nice post-mortem of a quirky bug. I think we're only going to be getting more problems as web services can change their APIs instantly, while iOS apps have a build-test-deploy cycle measured in weeks.

Don't get me started about Facebook

AUmrysh13y ago

I think API versioning is important for this very reason. It's also important for developers to update their code to run on newer versions of the API so companies can drop support for the old API eventually.

dan123413y ago

I'm pretty surprised that neither Apple nor StackMob had an upper limit for the number of notifications your account could send or a user's device could receive within a set time.

I wonder how many users have now uninstalled your app?

stickfigure13y ago

Do I understand correctly that StackMob lets your iOS client send push notifications directly to other users?

How does this API prevent spammers from hijacking your app credentials to send pushes to all your users?

MProgrammerOP13y ago

They're not sent "directly" -- they go through StackMob's servers. Urban Airship has a client library that can do the same thing, and it's widely used.

I can see how it's certainly possible for a spammer to do that with hackery, but there's a mechanism to revoke API keys and so forth if needed.

stickfigure13y ago

Revoking your API key is the equivalent of taking your application offline. And there's no fix; as soon as you reissue your application (after waiting a week for Apple's approval) then the spammer has your API key again and can start sending pushes through StackMob/Urban Airship.

I send a lot of push notifications through my own servers. I made sure that spammers would have a hard time abusing it by constraining (server-side) who can send what messages to whom. Unless I'm missing something, StackMob has no defense against spam whatsoever.

If spammers aren't already abusing this, they will be soon.

1 more reply

mason5513y ago

Sounds like you're responsible for ensuring that your app only sends broadcasts when appropriate. If you create an app that lets end users send push notifications to an arbitrary list of users then that's on you for allowing it to happen.

stickfigure13y ago

If the iOS application decides who to send messages to and what the content of the message should be, then anyone who downloads the app now has the ability to spam to any other user just by extracting the API key out of the binary and using the StackMob API directly.

hackmiester13y ago

I wonder if there is any chance of seeing this app on Android. I know it's a small project and that seems silly, but hell, maybe I want to talk to iPhone users.

StavrosK13y ago

TL;DR: It was a bug.

j / k navigate · click thread line to collapse

11 comments

ajlburke13y ago

Don't get me started about Facebook

AUmrysh13y ago

dan123413y ago

I'm pretty surprised that neither Apple nor StackMob had an upper limit for the number of notifications your account could send or a user's device could receive within a set time.

I wonder how many users have now uninstalled your app?

stickfigure13y ago

Do I understand correctly that StackMob lets your iOS client send push notifications directly to other users?

How does this API prevent spammers from hijacking your app credentials to send pushes to all your users?

MProgrammerOP13y ago

They're not sent "directly" -- they go through StackMob's servers. Urban Airship has a client library that can do the same thing, and it's widely used.

I can see how it's certainly possible for a spammer to do that with hackery, but there's a mechanism to revoke API keys and so forth if needed.

stickfigure13y ago

If spammers aren't already abusing this, they will be soon.

1 more reply

mason5513y ago

stickfigure13y ago

hackmiester13y ago

I wonder if there is any chance of seeing this app on Android. I know it's a small project and that seems silly, but hell, maybe I want to talk to iPhone users.

StavrosK13y ago

TL;DR: It was a bug.

j / k navigate · click thread line to collapse