Overcoming Psiphon Clones

A clone can be hard to recognize. It often looks and functions like anything else you would use. In the world of open source apps, a clone is a copy of an app published by a source other than the original developer. While they may not be inherently bad, clones create many challenges and insecurities for the open source community.

When app clones exist, peoples’ privacy and security is at risk. This risk can affect others in their family or circle if they download and share one embedded with malware. Consider this case—

In 2018, Telegram was blocked in Iran. A company sent SMS messages promoting the use of VPN software to gain access to Telegram. When people clicked on the link, they were directed to a site where they downloaded a trojanized version of psiphon6. The app spasmed their device—sending the original SMS message to their contacts further spreading the malware, deleted their contacts and accessed personally sensitive information like account logins and bank information.

As a partner of the OTF Usability Lab, we were asked by the Psiphon team to look into the issue of inauthentic clones. For them, they cause major usability problems. People are not getting the right version of the app, and some people will have trouble accessing the network from versions that have additional confusing UI.

We set out to further understand which behaviors would lead people to use a clone. From here, to discover which steps can be taken to—

  • Increase the adoption of original apps; and

  • Lower the chance of malware invading open source apps

There are actionable steps for open source teams and the community to take. Our hope in sharing this research is that conversations will begin and steps will be taken to proactively prevent the spread of malware among our communities.

For tool teams

Build your brand credibility and claim your presence among communities—“12 Steps to Make Your App Easy to Recognize and Get.”

 

For Communities

Limit your exposure to a malware attack. Here are 7 things to help—“Don’t Eat Free Cheese.” Check them out. Teach your peers.

 

Psiphon as a Case Study

To overcome internet censorship, Psiphon offers many different ways to download their app. In the mix of these, fan sites, unofficial websites, and social media pages exist. The existence of multiple distribution channels causes users to have an inconsistent, poor experience of the brand and product. While some channels distribute official versions, others distribute inauthentic clones. Some clones have additional UI that is confusing, leading users to believe they must configure the network manually. Doing so at random often causes issues connecting to the network. Other clones require extra, unnecessary permissions.

 
The above websites offer a download of the Psiphon Android app. Only one is from the official team.

The above websites offer a download of the Psiphon Android app. Only one is from the official team.

 
 

Outcomes of the Research

We discovered that clones exist for different reasons, and will continue to exist. In some cases, clones are procured because an app or service isn’t available in a country or language. In other cases, people repackage an app with adware to make money.

In addition, we learned that people are casual about getting apps. They download them from various sources depending on their situation, where they live, and what they think. These sources range from sharing in messaging apps and over bluetooth or Xender, to downloading directly from Google Play. Generally, people want what is easy and available, and don’t think much about the source or their security.

 
‘Research Insights’ Preview

‘Research Insights’ Preview

We spoke with 15 people from seven focus countries (China, Ethiopia, India, Indonesia, Iran, Nicaragua and the Philippines) and gathered insights from a survey distributed to 21 countries with 66 participants. See the full Research Insights.


 
 

Summary of Solutions

It’s probably impossible to ‘overcome’ clones. Rather, the focus should be on increasing adoption of the authentic Psiphon app. With the hope that people who would otherwise get a clone, choose to get the authentic version, and do what it takes to get it.

We made recommendations to the Psiphon team to help increase the adoption of their official app over a clone. Check them out at https://docs.google.com/document/d/1PsypygEHtBLx89dhSZFj31_I7o_Hqj3KU_hSCoArkTY/edit?usp=sharing

The core ideas for the Psiphon team have been extracted and shared as “12 Steps to Make Your App Easy to Recognize and Get.” If you are an open source team, be sure to check it out. If you download apps, especially from non-official sources, have a look at “Don’t Eat Free Cheese.” We’ve shared quick easy tips to be proactive about not getting malware on your phone.

Previous
Previous

Orbot Listening Groups

Next
Next

12 steps to make your app easy to recognize and get