App Store randomly opening? An advertising network is doing it

How DARE you interrupt my kitten viewing!

How DARE you interrupt my kitten viewing!

Recently I’ve noticed that, every so often, my iPhone spontaneously opens the app store page for some stupid game or other. It’s usually when I’m reading a blog with advertising on it, or looking at pictures of kittens. Sometimes it happens from Safari, and sometimes from apps serving their own content. It seems that I’m not alone in finding this annoying, and it looks like it may affect Android devices too. Worried (as others are) that this might be some novel strain of malware, I decided to do a bit of digging, which revealed that one of the embedded advertising networks is being an arsehole.

I should say at the outset that Cheezburger is all kinds of awesome, and none of this is their fault. I feel for them in that, somewhere along the line, a misbehaving operator is sabotaging their stuff.

I’ve recently built a Sheevaplug as a caching DNS server for my home network, so it was a handy place to bring up a squid proxy. I configured it in proxy-only mode, and set it as the proxy on my iPhone so that I could capture all the phone’s traffic without faffing around with router reconfiguration. A few minutes of kitten admiration later, and it happened: the Cheezburger app suddenly launched the App Store page for something called ‘Clash of Clans’ (no, it doesn’t get a hyperlink here, because this is a bloody rude thing to do).

Digging through the tcpdump output with the lovely Wireshark (which is what my final year degree project should have been… but I digress), I found that the Cheezburger app issued a request to Tictacti, which redirected to Appia, which then redirected to

http://hastrk2.com/serve?action=click&publisher_id=15214&site_id=8688&offer_id=245126&ref_id=APPIA138893329080912448003956736&sub_campaign=A032_A026_A000373&sub_publisher=Appia&mac_address=&android_id=&odin=&ios_ifa=&android_id_md5=&android_id_sha1=

Presumably hastrk2.com is an advertising network; browsing to it gives a redirect to the Google Play store, which is a pretty misleading thing to do if it’s not Google’s domain. The domain is registered to an individual in Seattle, and the IP address is in Amazon Web Services‘ range, making me think it’s not Google at all. I hear that Google has a reasonable amount of hosting capacity without relying on AWS.

Anyway… the unpleasantness happens when hastrk2.com replies with

HTTP/1.0 302 Moved Temporarily
...other headers...
Location: itms-appss://itunes.apple.com/app/clash-of-clans/id529479190?mt=8

Well that’s not very friendly. itms-appss is a URL scheme that jumps to the App Store, and when the running app tries to open it, iOS faithfully jumps to that app’s page (as if you’d buy it after that nasty experience). Interestingly, searching for itms-appss documentation gives some Apple documentation pages, but none of them refer to that scheme any more, so I don’t think it’s meant to be used in this way.

There are of course many ways to block this sort of horribleness—a nice Privoxy rule comes to mind—but these squid directives did it for me:

acl appstore_jumpers dstdomain .hastrk2.com
http_access deny appstore_jumpers

Online advertising pays for some wonderful things, but being cretinous just makes people hate your customers. At worst, people suspect a fault and end up in an Apple Store looking confused. So, to those responsible for this crap, I say: Get it right up you, scumbags.

6 Comments

Filed under ios, iphone

6 Responses to App Store randomly opening? An advertising network is doing it

  1. Dragan Culum

    Hey!

    Appreciate the article! Could it be someone making money of off this as “commercial”? If so, the person is making LOTS of money this way.
    Anyhow; I was wondering if you could provide some instructions as to how I could implement the code in the last segment of the article.

    Is the below code one that blocks this app-store jump?

    If so, how do I get this to work on my iPhone?

    “acl appstore_jumpers dstdomain .hastrk2.com
    http_access deny appstore_jumpers”

    Thanks in advance!

    Regards,
    Dragan

    • flup

      Hi Dragan,

      It’s just a nasty tactic to drive traffic to the app store, so that people download the ‘free’ app and go on to buy the inevitable in-app purchases.

      The code in the article is a config snippet for Squid, which (in simple terms) is a program which sits between your iPhone and the Internet. You’ll need a separate computer to run it on (I have a Sheevaplug for other things, so I just put it on there), and set it as the iPhone’s HTTP proxy for your wireless network in Settings -> Wi-Fi.

      Cheers
      - Ian

  2. Dragan Culum

    Hello Ian,

    Thanks for your reply!

    Nasty tactic indeed. Desperate measures much.

    I will apply this on my computer and phone as soon as possible. Again, thanks!

    Kindest regards,
    - Dragan

  3. khalifa

    Hi

    Yhank you for providing a solution

    but I have a question: How can I write the code in my iPad?

    Best Regards

    • flup

      Short answer: you can’t. The config I’ve given is for an external proxy, so won’t be of any use to you unless you know how to build and configure such things. I don’t know of any way around this other than using something external.

  4. I think router can be setup with a filter for URL hastrk2.com .

Leave a Reply