How to block web traffic coming from the TOR network

The Problem

TOR allows anyone to very easily hide their true IP address when accessing a website.  This makes it very difficult to ban troublesome users from accessing your site by following the common practice of blocking traffic based on IP address.

How TOR Works

TOR achieves anonymity for a user by routing all traffic randomly between multiple nodes in the network (of other TOR users) before finally exiting the TOR network and reaching the final intended destination.  Traffic only exits the TOR network from specifically designated exit nodes.  Luckily for us, the TOR network infrastructure maintains a master list of all such exit nodes.  The total number of the exit nodes is relatively small (less than 100,000 currently).

Solution

By maintaining a copy of the list of all TOR exit nodes in our server’s memory, we are able to screen all incoming web traffic against that list to effectively block all traffic coming from the TOR network.  I have created a simple C# library which downloads the list of exit nodes, maintains a copy in server memory, and automatically keeps the list up to date.  The project is available on GitHub at https://github.com/brianhama/TorExitNodeManager.  To use the project, simply add a reference to your web application and use the following line of code to check if an incoming web request is from the TOR network:

ExitNodeManager.IsAddressTorExitNode(HttpContext.Current.Request.UserHostAddress)

Caveat

Not all websites are good candidates for this solution.  There are probably a number of legitimate reasons someone might need to use TOR, but I can’t really think of what they might be right now.

Tagged , , , , , , , ,

Tinder for Windows Phone

Screenshot2

 

I have developed a Tinder app for Windows Phone called ‘Tinder Unauthorized’.  The app is almost identical looking to the official Tinder app on iPhone and Android.  The app is free and without advertisements.

The app is currently in the submission process for the Windows Phone store, but anyone with a developer unlocked phone can side-load the app now by downloading it from www.tinderwp.com.

The app has also been released open-source so anyone can take a look at the code and improve the app by visiting the project’s GitHub page.

Tagged , ,

Facebook Connect Auto-Login Solution for Windows Phone

The Current Problem with Using Facebook Login on Windows Phone

One of the really nice things about developing for iPhone or Android is the ability to use the Facebook SDK to expedite your app’s account creation process.  By using the Facebook SDK on these platforms, users do not need to re-enter their Facebook email and password.  So long as they have signed into Facebook on the phone at some previous point in time, all the user has to do is grant permissions to your app using a dialog similar to the one displayed here:

fb

Unfortunately, there is no official Facebook SDK for Windows Phone and it seems unlikely one will be released anytime soon.  As a result, Windows Phone developers have resorted to displaying the Facebook mobile web login page within a WebBrowser control in their apps.  This approach works, but due to the fact that the WebBrowser control keeps the browser cookies isolated to that particular app, it requires any new user of your app to always login to Facebook.  This significantly reduces the effectiveness of using Facebook login to expedite your app’s account creation process.

The Solution

Part 1: Initiate login from the mobile app

To solve this problem, I take advantage of the fact that the phone’s standalone web browser does save Facebook session cookies.  Rather than show the Facebook mobile web login page within a WebBrowser control, I open it using the standalone browser using the WebBrowserTask class:

Microsoft.Phone.Tasks.WebBrowserTask browserTask = new WebBrowserTask();
browserTask.Uri = new Uri("https://www.facebook.com/dialog/oauth?client_id=<APP ID>&scope=<PERMISSIONS>&response_type=code&display=touch&redirect_uri=<URL ON YOUR SERVER>");
browserTask.Show();

If the user already was logged into Facebook from their phone’s web browser, they will by-pass the login screen and be taken directly to the screen for authorizing your app’s permissions, just as on iPhone or Android.

Part 2: Handle login result on web server

As the login request’s redirect_uri I pass the address to a resource on my web server.   This server-side page processes the result of the login request and exchanges the login code for an access token using Facebook’s server-side authentication flow.  The code required to perform this is quite lengthy and outside the scope of this blog post.  It has been extensively documented in Facebook’s API documentation though.

Part 3: Using a Custom Protocol to send access token to app

After exchanging the code for an access token, the following Javascript is written to the response stream:

window.location = '<YOUR APP’S CUSTOM PROTOCOL>:FacebookConnect?token=<ACCESS TOKEN>';

The app needs to have declared the custom protocol within the app’s WMAppManifest.xml file.  You then need to create a subclass of UriMapper to handle the app’s launch.  Here is an example of the class you will need to create:

public class CustomUriMapper : UriMapperBase
    {
        public override Uri MapUri(Uri uri)
        {
            string tempUri = System.Net.HttpUtility.UrlDecode(uri.ToString());
            if (tempUri.Contains("FacebookConnect?token="))
            {
                string token = tempUri.Substring(tempUri.IndexOf("token=") + "token=".Length);
                // Save token or something
                return new Uri("/Pages/HomeScreen.xaml", UriKind.Relative);
            }
            return uri;
        }
    }

Limitations

  • If the user has never logged into Facebook using their phone’s web browser, they will still need to login, but the flow will still function.
  • Only works with Windows Phone 8 and higher due to requirement for custom protocol.
  • Requires a lot of work to set everything up properly.  Unless you expect to have a LOT of users it probably isn’t worth the effort.

You can see this functionality for yourself by downloading the WNM Live app.  I added this approach to the WNM Live app a few months ago and it has been working reliably.

Tagged , ,

Why Windows Phone is a huge opportunity for indie developers

Windows Phone Indie Opportunity

There are 800,000 apps on the Google Play, 900,000 apps on the App Store, and 160,000 apps on Windows Phone Store. With 2.5 billion downloads per month on Play, 2 billion downloads per month on iOS, and 200 million downloads per month on Windows Phone, it seems clear that Android and iOS are winning the platform wars. However, as an independent developer with apps on all of the major stores, the raw numbers and the reality of creating success on any given platform diverge greatly.

If you want your app to be noticed, there are basically three options at your disposal for organic downloads. The first is that your app is inherently viral in nature – this will depend on rigorous testing of invitation flows before launching, and having a strategy to overcome the initial chicken-and-egg problem. There are maybe 5 or 10 apps a year that figure this out and you can see them dominating the top 25 overall paid and free charts on all platforms.

The second is that you form a strategy for boosting your app into the top 25 in a particular category of the App Store and hope that it has staying power. There are about 25 categories on each store, so there are about 600 slots available for developers to fill. According to mobile app marketing company TradeMob, you can pay your way into one of the App Store’s more competitive top 25 charts for $96,000.

The third is getting featured. This largely depends on your relationship with app store editorial teams, and there are roughly 500 apps featured a year.

Discounting overlap between the category killers, featured apps, and viral apps, you’re really talking about 1000 apps each year that are generating significant organic downloads on each platform, and most developers don’t have the resources or the insider relationships to be one of them. We don’t have access to the full data, but you can make a very educated guess and see that on each app store, the vast majority of the apps are part of a long tail of apps that receive very few downloads and probably don’t even generate enough revenue to sustain themselves.

Seen this way, the volume of users downloading apps should be less of a factor in your decision to start developing on a new platform, as it’s nobody’s goal to be one of these long tail apps. Instead, you should look at how easily you can make it into the top 1000 apps each year that are creating real financial opportunities. And I think in this area, Windows Phone provides a significant advantage over iOS and Android.

First, there are less total apps to compete with to get into the top 1000. Second, the actually good app developers have relationships with Apple and Google and often have money to spend on getting into the top categories. In contrast, most Windows Phone apps are created by independent shops and non-professionals – basically the quality threshold for the top 1000 is much lower. Users take notice of good apps on the platform. Third, Microsoft doesn’t require an existing relationship to be featured – they have an entire team of evangelists that are quite public and are there to assist you with getting distribution. They are a market laggard that has money to spend and are highly motivated to help good Windows Phone apps succeed.

This isn’t just a theory either – I’ve spoken with many other Windows Phone developers and the story is virtually the same for all of us that took a risk developing on the platform. Our app is ranked 20th in the social networking category on Windows Phone and it made $250,000 in revenue last year on the platform. On iOS, our equivalent app has made almost nothing. Taptitude, an app developed by four brothers as a side project, is generating $500,000 in annual revenue from Windows Phone. The equivalent app on Android has less than 10,000 installations. Elbert Perez makes a collection of simple 8-bit Windows Phone games and has brought in 2,000,000 downloads and hundreds of thousands of dollars. In fact, the average Windows Phone app brings in almost $20,000 annually.

Big companies are starting to take notice of the favorable economics as well – Path, Vine, Flipboard, and many of the other large app developers have announced their plans to come to Windows Phone. More of the big mobile players will be arriving shortly. Now more than ever is the time to cement your place in the Windows Phone platform and at the top of their charts. Don’t miss out on this potentially final mobile gold rush, because it won’t last long.

Tagged , ,
Follow

Get every new post delivered to your Inbox.