Welcome to WebmasterWorld Guest from 34.238.192.150

Forum Moderators: martinibuster

Message Too Old, No Replies

Scammers Found New Way to Steal Content, Adsense Affected

     
3:47 pm on Aug 25, 2018 (gmt 0)

Junior Member

joined:May 1, 2018
posts: 53
votes: 8


Hello,

I have found that a scammer has created an Android app for my website without explicitly asking for my permission. This scammer has embedded my website in a webview (android library to load standalone webpages) and on top of that he is loading his own admob ads. This is not a proper native android app in itself specifically, just a wrapper to load my website in webview. The app just looks like a website loaded in web browser.

Now the problem is: It is against adsense policies to embed websites in webview (think iframe) and show adsense ads in it. What if tomorrow Google or automated adsense bots ban my account for breaking policies? I have no fault in this.

I have already sent multiple emails to the developers requesting them to remove the app, they are not replying. I have also reported this app many times in last two months to Google via play store form, but no action has been taken yet. This developer is a true scammer and has created similar apps for other websites as well.

If a website copies my content and adsense ad code, I can mark it as "unverified" in adsense dashboard to avoid misuse. However, this guy has created an app with my own website's root URL and I can't mark it as unverified.

I just don't understand how Google is allowing these kinds of apps in Play Store? Ironically, I created an Android app for my website a while back and it was rejected. The play store team stated the reason being I am not the true owner of the website. So I had to freaking prove ownership of my own website and they reinstated the app. In this case, a third party developer has embedded my website in full glory and it has been accepted, no questions asked, no rejections.

What to do in this situation? I cannot DMCA because I have tech news website. There is nothing like original artwork, images or other original content to claim copyright. Most of the information is available freely on other websites as well.
5:38 pm on Aug 25, 2018 (gmt 0)

Senior Member

WebmasterWorld Senior Member Top Contributors Of The Month

joined:Nov 13, 2016
posts:1194
votes: 288


Does this App remove the ads from your site? or alter the page? If it's simply showing the page like a browser is doing, then it's not really stealing.

Now the problem is: It is against adsense policies to embed websites in webview (think iframe) and show adsense ads in it. What if tomorrow Google or automated adsense bots ban my account for breaking policies? I have no fault in this.

I don't think you have anything to worry about it. The structure or your site remains the same, and YOU are not displaying Adsense ads (with your pub id) inside an iframe, the fact the whole page is inserted using an iFrame or webview. As I said, it sounds the same as what a browser is doing.

However, what you can do is report the App to Adsense.
6:30 pm on Aug 25, 2018 (gmt 0)

Junior Member

joined:May 1, 2018
posts: 53
votes: 8


I believe they are stealing it because they have slapped their own branding on app title bar and play store listing. No where in their app have they mentioned my website or given credits. They never contacted me to create an app for my website. I already have an app for my website on play store.

They are also showing full screen admob ads everytime back button is pressed or page is refreshed.

They haven't altered anything and they are loading full website along with my adsense code.

Play store policies prohibit this kind of behaviour. Think of an app developer that has uploaded "AmazingStore" or "Fatebook" app on play store. After opening the app, all you see is amazon.com
or facebook.com homepage embeded in webview. What would amazon do after finding it? Nuke it in a second.

Play store also prohibits uploading apps for third party websites without explicit permission from website owners. These apps violate impersonation and brand spoofing policies on play store. That is why play store initially rejected my app and I had to prove ownership.

This app is also not an RSS app or news aggregator. This app only loads one website and that is my website :(

Google can detect if website is loaded via a browser or webview using some methods on android. I think user string detection is one of them.

I can live with another user shamelessly inserting his own ads over my full website and taking benefits from my hard work. I am more worried about policy violation it brings and I will be the one to suffer in case something happens.

[edited by: dartttt at 6:41 pm (utc) on Aug 25, 2018]

6:37 pm on Aug 25, 2018 (gmt 0)

Junior Member

joined:May 1, 2018
posts: 53
votes: 8


There is also webview kind of library on ios (don't know the correct name). Embedding full website with adsense code in this ios webview is also an adsense policy violation.
6:34 pm on Aug 26, 2018 (gmt 0)

Junior Member from US 

Top Contributors Of The Month

joined:Oct 26, 2017
posts:44
votes: 11


I had a similar issue a few years back. Although, in my case it actually helped my site.

I noticed a sudden spike in traffic for some months, so I wondered where it came from, as I hadn't done any promotion that period.
An "app developer" then contacted me asking permission to have my site accessible in their new app (along with other sites).

I looked them up, and it turned out they already had a version of this on the play store.
It just offers different sites in my niche under their app name.
So when you launch the app, it shows about 10 site names (including mine), and you can browse them inframe.

I told him I was aware they had already previously implemented something similar without permission. However, they could go ahead with the new one, but I would monitor things for any potential issues.

He was very thankful and went on his way. I didn't give him a hard time, because I knew it gave the site a boost and new visitors.
6:34 am on Aug 27, 2018 (gmt 0)

Junior Member

joined:May 1, 2018
posts: 53
votes: 8


I don't have a problem with any app that shows multiple sites in same niche or RSS or News App. This developer is claiming my site to be his own and showing his own admob ads along with my adsense ads. Even an RSS app that loads your full website with adsense ads in webview can land you in hot waters.

He is also tricking users by using a very similar name to my website. Example: Lets say my site name is CoolTechNews and his app name is TechCoolNews. My website is not the only one he has created an app for. He has created separate apps for other websites as well with names sounding quite similar to original websites.

I think it is hard to explain here but any website owner/developer would be upset after seeing that his website is being stolen and claimed by a third person as his own. If anyone here to look at this app, they will instantly recognise how this developer is ripping of many websites including my own.

In any case as I have said earlier, I am more worried about policy violation and I have also read that someone's adsense account received a violation notification in past for embedding full website in webview.
6:49 am on Aug 27, 2018 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member keyplyr is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Sept 26, 2001
posts:12913
votes: 893


Is the perp loading your site content using an ifame? Have you added security headers to stop it? [webmasterworld.com...]
7:11 am on Aug 27, 2018 (gmt 0)

Junior Member

joined:May 1, 2018
posts: 53
votes: 8


Not a PWA, just an android app that loads third party website in full glory in webview. There is no address bar, forward/backward controls, nothing at all.

This guy has created an app: Photo Editor. When you open the app, it loads an online photo editing website in webview. He is not the owner of website.

Another app he created is Basketball Scores and then he loads a third party website that shows basketball scores. I can see ads being loaded in this website inside his app. On top of that he has inserted his own admob ads.
7:16 am on Aug 27, 2018 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member keyplyr is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Sept 26, 2001
posts:12913
votes: 893


So to stop your site from being loaded into his app, install the security headers discussed in the link I provided... especially:
X-Frame-Options: deny 
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
X-Permitted-Cross-Domain-Policies: none
7:24 am on Aug 27, 2018 (gmt 0)

Junior Member

joined:May 1, 2018
posts: 53
votes: 8


It is not an iframe particularly but works similar to an iframe. In simple terms, webview is a sort of lightweight browser in which a full website can be ebmedded or loaded. In many cases, it doesn't perform well like popular browsers Chrome and Firefox.

At this moment, there is no way to block this kind of behaviour and many websites are becoming victims of these kind of practices. The only way to combat this is to report these apps to Google for play store policy violation.

However, Google's Automated AI is so smart that first it allows such apps on play store and then another machine learning method ignores any such policy violations reported via play store.

[edited by: dartttt at 7:30 am (utc) on Aug 27, 2018]

7:29 am on Aug 27, 2018 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member keyplyr is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Sept 26, 2001
posts:12913
votes: 893


I have webview installed on my android devices.

So again, where are these apps? Are they available in Google Play or a 3rd party app store? If Google play, they should be easy enough to get removed.
7:33 am on Aug 27, 2018 (gmt 0)

Junior Member

joined:May 1, 2018
posts: 53
votes: 8


Available on play store, reported many times. No action taken.

I have also used my friends' mobile devices to report these violations but every report seems to go in a blackhole.
7:35 am on Aug 27, 2018 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member keyplyr is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Sept 26, 2001
posts:12913
votes: 893


If your content is being "live loaded" you may be missing an opertunity to have some fun.
7:40 am on Aug 27, 2018 (gmt 0)

Junior Member

joined:May 1, 2018
posts: 53
votes: 8


A screenshot of problem I am describing, taken from play store policy document.

[i.imgur.com...]
7:50 am on Aug 27, 2018 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member keyplyr is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Sept 26, 2001
posts:12913
votes: 893


From the screenshot, it appears to clearly violate Google Play rules. I wonder why they aren't taking action.

Have you tried complaining in Google forums?

I'd make a lot of noise. I'd also install those security headers.
7:55 am on Aug 27, 2018 (gmt 0)

Junior Member

joined:May 1, 2018
posts: 53
votes: 8


No action is being taken because no humans are reviewing these violation reports.

Everything is automated and AI/machine learning is used.

Google has a way to detect if an adsense ad is loaded in webview or a proper browser. I would hate a ban hammer for no fault of my own.
9:51 am on Aug 27, 2018 (gmt 0)

Junior Member from US 

Top Contributors Of The Month

joined:Oct 26, 2017
posts:44
votes: 11


Yeah, these things can be incredibly frustrating.
I remember once when some site was stealing 100% of my content. I couldn't even get Google to take action after filing a DMCA.
They told me to talk it out with the thief. WTF!

This person was blatantly abusing Adsense policies and still running ads on stolen content, and that's how they handled it.
The thief even told me something along the lines of "too bad, it's your word against mine."
I detailed it here two years ago [webmasterworld.com...]

Maybe see if there are other avenues you can cripple their operation with. Maybe contacting their hosting services etc.
10:41 pm on Aug 28, 2018 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month

joined:June 18, 2005
posts:1868
votes: 90


Can you detect if your page is loaded from that application (a specific user agent string maybe) and redirect to the infamous goat site?
11:51 pm on Aug 28, 2018 (gmt 0)

Junior Member

Top Contributors Of The Month

joined:May 1, 2018
posts: 104
votes: 17


You should be able to detect your website is being loaded through webview for android in JavaScript or server side. Do the requests have the header HTTP_X_REQUESTED_WITH?
9:19 am on Aug 29, 2018 (gmt 0)

Junior Member

joined:May 1, 2018
posts: 53
votes: 8


@Steven29 How to do it from Javascript side?

These are the headers for my site:

Request headers:

Host:
User-Agent:
Accept:
Accept-Language:
Accept-Encoding:
DNT:
Connection:
Upgrade-Insecure-Requests:
If-Modified-Since:
If-None-Match:
Cache-Control:

Response headers:

HTTP/1.1 304 Not Modified
Expires:
Date:
Cache-Control:
ETag:
Server:

Both Android and iOS allows changing webview user-agent-strings, so blocking on basis of user-agent-string may not work fully. Scammers can change and spoof any user-agent-string anytime.

Also note that webview allows javascript injection and the scammer can also store entire page source in a string as well and then remove any part as he wishes.

If I block him via javascript, he can remove that part altogether from html source.
9:43 am on Aug 29, 2018 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member keyplyr is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Sept 26, 2001
posts:12913
votes: 893


webview allows javascript injection
Not if you use the security headers I suggested.

Take a look at the CSP [developer.mozilla.org] but I would install *all* the security headers.
9:58 am on Aug 29, 2018 (gmt 0)

Junior Member

joined:May 1, 2018
posts: 53
votes: 8


@keyplyr

Update:

I have these two headers:

X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block

These two are missing:

X-Frame-Options: deny
X-Permitted-Cross-Domain-Policies: none
2:49 pm on Aug 29, 2018 (gmt 0)

Junior Member

Top Contributors Of The Month

joined:May 1, 2018
posts: 104
votes: 17


if ($_SERVER['HTTP_X_REQUESTED_WITH'] == "your.app.id") {
//webview
} else {
//browser
}

If he is storing your website as a string, it shouldn't be loading as your url - wouldn it be like loading a local file?