1. This website uses cookies to improve service and provide a tailored user experience. By using this site, you agree to this use. See our Cookie Policy.
    Dismiss Notice

Use VPS to mimic mass Android/IOS devices so they appear to app devs as real distributed users?

Discussion in 'Black Hat SEO Tools' started by punkinhead, Nov 21, 2017.

Thread Status:
Not open for further replies.
  1. punkinhead

    punkinhead Regular Member

    Joined:
    Feb 19, 2015
    Messages:
    450
    Likes Received:
    36
    I ask some version of this question every year or two, and have yet to find a real answer. Like the tile says, looking to create the illusion of hundreds of actual mobile app users all across the globe on different networks, devices, etc. Spooffing should represent an average cross-section of actual users in every way so app devs cannot fingerprint system to determine anything other than normal mobile users.

    Not trying to buy hundreds of actual devices and wire them up to pegboard in a shed or anything like that. Specifically looking to setup quick deployments of Windows or Linux virtual machines, and efficiently run a number of devices per VM, or divide server to many VM's with single "device" per VM. Whichever works.

    Essentially looking to do what Multiloginapp does for mobile browsers (profile based spoofing of all aspects of desktop web browser), but for various app use rather than browsers.

    I understand it's a bit of a tall order, so really hoping to break some ground here and at least get a conversation going about what such a system would need to look like.
     
    • Thanks Thanks x 1
  2. natmicon

    natmicon BANNED BANNED

    Joined:
    Dec 1, 2012
    Messages:
    102
    Likes Received:
    51
    I'm interested in this as well. Do they have "selenium for phones"? Of course sophisticated fingerprint systems can be really hard to beat, but I'd like to work from the ground up as far as how you approach setting up these systems.
     
  3. punkinhead

    punkinhead Regular Member

    Joined:
    Feb 19, 2015
    Messages:
    450
    Likes Received:
    36
    Even if there is no prefab automation solution, that should be the easy part. What I've never come across is someone who can give a good explanation of exactly what information a dev has access to their end when a real user engages with their app, and how to spoof that. I just don't know enough about it. I've got a decent grip on user agents, cookies, etc. on the desktop browser side... but really hoping someone has already worked out part of this system or can share info on exactly what would need to be spoofed as a starting point. API engagement, other elements on the phone that app can access, device and carrier information, if there is a way to spoof roaming users who connect via data plans, then wifi networks, etc.
     
  4. BloodyNinja

    BloodyNinja Power Member

    Joined:
    Oct 28, 2013
    Messages:
    653
    Likes Received:
    660
    Location:
    Deeptown
    Okay, let's start from simple questions...
    Do you know any open source virtual machines for Android/iOS emulation?
    If not, on top of what a fingerprint management module should be built?
    Theoretically, building and own virtual machine is an option. But,... :)
     
  5. BeerMoneySwagger

    BeerMoneySwagger Newbie

    Joined:
    Feb 16, 2015
    Messages:
    20
    Likes Received:
    1
    Maybe use a vps and install bluestacks?

    Or high end VPS->docker->bluestacks.
    This in theory would allow multiple bluestacks instances to run on one vps.

    Google docker if you want to learn more about it.

    Not 100% if this would work but just something that came to mind
     
  6. punkinhead

    punkinhead Regular Member

    Joined:
    Feb 19, 2015
    Messages:
    450
    Likes Received:
    36
    Haven't used docker, but I've read about it a few times regarding other projects.


    That's more or less what I was picturing. Working emulator / spoofing app aside, there are some architectural issues to iron out. I'm assuming for overhead purposes that it's best to run several instances on a single machine vs lots of tiny vm's just big enough for one instance each. While I'm still trying to dig into what tools are already available, I'm also guessing that using a Windows OS may be required due to usurping existing tools built for Windows.

    Architectural questions can likely be answered on stackoverflow, spiceworks, or similar. While I certainly welcome any such answers here, I'm guessing BHW is likely good for some insights on the spoofing part.

    I don't really know enough about emulators or Android/IOS in general to have any opinion as to which are worth digging into, but I've come across a few open source starting points like:

    Android Linux:
    https://github.com/gustavosotnas/avd-launcher#english
    https://anbox.io/
    http://www.shashlik.io/

    Android Widows:
    http://www.android-x86.org/

    I'm sure there are more, but that's what I've come across. On the IOS side, some other questions pop up. I would guess that part of emulating a real user would have to do with the history of the user that the app dev can track. For instance, the dev would be able to tell where they downloaded the app. In the case of Apple's closed ecosystem, real users would undoubtedly have done so via the appstore.

    I don't know all the details, but it would seem there is a hurdle here in terns of an emulator that is able to download apps from the appstore since now we are getting into isues of (I think) MAC address, machine ID's, Apple user ID's, or whatever other toolls they use to control their ecosystem. Ultimately, this all matters as far as I can tell only to the extent that the developer of the app being spoofed can track the app procurement.

    This does also start to open the broader issue of whether some apps can access other data like location, other data on phone, and how such items would either need to be spoofed as a real user would need to agree to some of those terms in order to launch the app.

    Some of these items (like location) would have a minimum threshold of what is necessary to spoof (User is at a given address) on up to a more complex version (user goes to a certain building with wifi during work areas, stops at Strarbucks, etc. I understand the more complex version is more compelliing, but I would think so long as most basic version can be met, it's good enough to roll out.
     
    Last edited by a moderator: Nov 6, 2018
  7. BeerMoneySwagger

    BeerMoneySwagger Newbie

    Joined:
    Feb 16, 2015
    Messages:
    20
    Likes Received:
    1

    What do you mean by spoofing?

    Yes I know what spoofing means just wanted more detail as to what you mean by it..

    Btw. I do plan on doing something like this so that's why im interested on spinning up instances of the android app or multiple android vm with the app on the vm..

    The second part to this will be automation of the app. Something like selenium but for android.
     
  8. punkinhead

    punkinhead Regular Member

    Joined:
    Feb 19, 2015
    Messages:
    450
    Likes Received:
    36
    Spoofing = Reporting values that match those a typical user would have rather than your actual values.

    Take the example of a user agent for a desktop browser. It allows the site you are visiting to see your operating system, browser version, etc. If anything about your configuration is out of the ordinary, this is a red flag, so you would need to spoof the outgoing UA to show all the characteristics of a common configuration like a typical user would have. There are actually a great number of items that must be spoofed beyond the user agent just for desktop browsers... and that's a much easier nut to crack.

    You could think of proxies that way too... they are spoofing the IP.

    Read MultiLoginApp's blog (tab on their site) to get a feel for some of the details involved in desktop browser spoofing. Mobile app user spoofing is much more complex, and I'm not aware of any product that even makes a solid attempt at solving it.
     
Thread Status:
Not open for further replies.