Latest Posts (20 found)

How to stay in the coding flow using LLMs

We all know that moving to LLMs and agents has caused the feeling of losing touch with parts, or maybe even all, of a code base. This isn’t just something that is problematic for managing and handling the translation from business logic to implementation it is a problem because it feels exhausting . I’ve had coding sessions that lasted 12 hours and afterwards felt great. Meanwhile I’ve done LLM prompting for a few hours and felt exhausted or unsure of what I did. Lately I’ve been keeping this in mind and have been looking for a few ways in which I can maintain a flow state and take advantage of LLMs. Remember back in 2025 when this was the default way of using them? I actually still find this to be my preferred way. Using LLMs with code harnesses in projects injects so much unnecessary information that asking simple questions gets out control. For example, here I’m exploring some data, and I wanted a quick regex, I turned over to my VSCode chat window, and forgot that it was an agent, and asked it the question. It proceeds to start looking at the files, wanting to run code etc. All off target of what I need . So next I switched VSCode to “Ask” instead of agent, again the LLM is flooded with context about my project and proceeds to output a massive amount of distracting and off topic code suggestions. Switch to a browser chat window which has little to no context about what you’re working on and ask it my specific question, boom it spits out a few quick regexes for my Python list comprehension that are exactly what I need . Is this bad advice? Well, maybe. But was this what you’re already doing, definitely. But the point here is to multitask coding on more than one thing at a time. I’ve found that this keeps me in the flow state much better than if I let myself browse the news. So instead of switching from your agent -> browse social media switch between multiple projects. This depends on how your code / work is structured, but depending on the scope this means either switching between several agents in the same project or having several projects open at once. Types of positive multitasking to stay in the zone: For me, working on AppGoblin’s free ASO and mobile app ecosystem data , I have certain areas that *I* need to understand what is happening, for those reasons I do not let AI write anything more than boiler plate code. The clearest example of this I can give is SQL, where a lot of my most important relational logic exists. Sure, I can let an LLM one shot a complicated SQL and it will “work” but come weeks (or months!) later and I’ll find a complicated bug that slipped in. It’s not even necessarily about who was right/wrong in this situation, it’s that *I* need to know what’s going on in certain parts of the codebase. Something that ‘looks fine’ is a terrible feeling that later it was not what I wanted. This last one is probably best suited for other data crunchers out there, but it’s where I find a great sweet spot for staying in the zone. My favorite way to write code has always been to write code in an editor and send line to a REPL. This is also more or less how SQL gets written as well where you build queries in your SQL editor by slowly making changes to the data, checking values / assumptions and eventually getting to your final SQL query. With the LLMs, I find myself using this flow lately: It’s more or less the same as I did before, just a lot less writing and let’s me hold onto the difficult concepts longer. If you’re actually in the flow of editing code, the best way to augment your coding is with code completion. I’ve found this to be the most powerful in that I don’t even have to start letting my mind wander for how to do some boiler plate code, it just pops up automatically. I love this because it helps me think at a high level in the code without the distractions of trying to remember how to do something when the how is not the important part. Probably the only issue with this is that code completion can be quite annoying and distracting in some situations. For example, writing free form and handling imports at the top of a file are examples where LLM ‘helpful’ code completion is just not helpful. If you enjoyed this feel free to share. Working on related projects File and project cleanup. LLMs generate many extra files and code and it’s best to stay on top of that yourself. Go through and delete extra files. Try asking LLMs for advice on what to remove, but do be careful with this idea. Tell LLM to write new code for processing data Step through the code my self line by line, checking the hotspots where I know assumptions / tricky data might be

0 views
James O'Claire 2 weeks ago

The Pregnancy and Health Apps Still Leaking Data in 2026

When Yeeun Jo, a student at University of Illinois at Urbana-Champaign (UIUC) contacted me in 2025 to ask about data tracking in app advertisements related to women’s health and pregnancy I was a bit skeptical. I think I first told her along the lines that while such data collection was broad it was rarely so specific as the advertisers were unlikely to act on specific information like which week of pregnancy a woman was currently in. Not to mention, Facebook’s historic $5 billion FTC fine for deceptive third-party data tracking, and the FTC’s subsequent 2021 crack-down specifically targeting Flo Health for passing intimate logging metrics to Facebook’s SDK. I thought it was unlikely they’d find much. Well, it’s a year later and Yeeun was 100% correct in her guess that mobile apps and mobile ad networks were still tracking more data than I expected. She and Brad Reaves released their paper “Expecting (Targeted Ads)? Network Analysis of User Health Data Leakage in Fertility Tracking Apps” showing the high specificity which these events are tracked. I think what was surprising here is the accuracy of the X weeks and X months pre and post birth that were surprising here. While I of course would have expected the categories themselves like pregnancy / ovulation etc to be passed as those would be the easy high value adds for a pregnancy app to increase their monetization, the specificity of the time was much deeper than I expected. If you didn’t catch them in the lists there are plenty of things that stand out like apps sharing: ‘vaginalbleedingdischarge’ Then there is the ‘subcat=pregnancyloss,wknum=17’ which crosses a morality line. The data was collected similar to how I collect advertising data on AppGoblin by collecting all network traffic in and out of apps. Jo & Reaves went the additional step of “systematizing app features [and] conduct a series of standardized user interactions across all apps” which enabled them to capture the specific categories and times above like weeks, trimesters and category of pregnancy. This joins the massive stories from the past 7 years that started with Facebook in 2019 when it was reported that Flo had set their conversion metrics up based on health sensitive data. Thus Facebook was collecting and targeting their ads based on private data, which they were later fined and found guilty of. In the end Google and Flo Health had multiple settlements and paid $58 million in a class action settlement. You’d think in 2026 there wouldn’t have been so many apps still sending this data. Here are the apps called out in the paper. I added URL links to the data I’ve collected about the apps with AppGoblin. AppGoblin only collects data in the first app open and without any interaction, so I was unable to verify the specifics like ‘3rd trimester’ or other data being sent deeper in the user journey as collected by Reaves and Jo. What you can see on AppGoblin is each of the Ad Networks and data trackers currently integrated with each of the apps. The paper didn’t share the specifics of which apps sent which private data to which Ad Networks. I think this would be highly worth checking. It would require the specific walking through the app on boardings to trigger the various ad calls containing the relevant data. If anyone is interested in this as a project I’m happy to help. Please DM or email me.

0 views
James O'Claire 3 weeks ago

The Unbearable Cheapness of Open Weight Models

Today I was setting up Hermes to see how it does with web research. I chose DeepSeek V4 because I know it is cheap, but seeing it’s pricing next to Anthropic and OpenAI ‘frontier’ models is crazy. Nearly a 50x price increase based on tokens alone, let alone how much pondering any of their models might fall into (using more tokens for the same task). What worries me about this is that Anthropic and OpenAI seem to have backed themselves into a corner of high costs. Can they reasonably decrease their prices by 20-50x to compete with DeepSeek or Xiaomi’s Mimo? Are these models cheap because they are open weight and having hundreds or people stress test running them on different hardware helped to lower the cost? Or is it that they are being provided as loss leaders to drive the prices down? You manufacture scarcity. You sell luxury and premium branding. This is what OpenAI and Anthropic seem to be doing by gating ‘frontier’ model usage behind higher walls. This is how luxury brands have sold cars and hand bags forever. They are clubs and status symbols for the rich and not meant to be widely distributed. This has been my fear for a few months now and each week that goes by seems to support this. How do you manufacture scarcity? One easy way is to fear monger and get the government to help restrict access to competition. The US used to be such a champion of open source, and I would hope that serious open source competition can come out of the US to prove that open weight and open source models are ultimately the future. I think the leap frog scenario for Open Source will be the true Open Source models where the data pipeline for training is also open sourced. https://allenai.org/olmo -> You can download these models now and they’re seeing increasing popularity. That being said, they are a bit out of date, with data cutoffs in Dec 2024 Looking to the future, the US NSF partnered with Nvidia to enable Allen AI to develop a true fully open AI: https://www.nsf.gov/news/nsf-nvidia-partnership-enables-ai2-develop-fully-open-ai Curious to dig more into Claude / ChatGPT tech stacks? Check out the tools they used to build their iOS and Android apps: Claude Android ChatGPT Android You can navigate to SDKs to view even more detailed breakdowns of specific parts as well as unmapped SDK paths. Google Gemma 4 was released in April 2026 Meta had llama which hasn’t had a release OpenAI last released open weight gpt models in 2025 Anthropic to my knowledge has never released any open weight model

0 views
James O'Claire 1 months ago

Scan any iOS or Android App for SDKs and API Calls for Free with AppGoblin, no login

AppGoblin lets any user, from anywhere, request to scan any mobile app for the SDKs, trackers and API calls the app makes. AppGoblin has a 100% free android app that lets you select apps from your device. This lets you select groups or multiple apps at a time and see which trackers each app has. AppGoblin uses the data to show overviews of what companies each app has integrations with as well as detailed views for looking at which exact SDK parts are imported in the app. Feel free to reach out to me or AppGoblin and new companies/sdks/trackers can be added with ease. Search the app you’re interested in on AppGoblin Go to the main App page and press the “Scan SDKs & APIs” button AppGoblin goes and fetches the latest version of the app. AppGoblin analyzes the Android APK or iOS IPA file for known trackers, ad networks and other business tools that scrape user data. For Android apps, AppGoblin runs the app in an emulator to track what data leaves the app in the first 60 seconds The results are prepared and put on the public app page within 24 hrs

0 views
James O'Claire 1 months ago

Attribution in the Browser: Who Really Benefits from Google and Meta’s New Privacy Standard

Google, Meta and the unlikely addition of Mozilla are teaming up to work on a browser W3 specification that would add browser user agent features to track impression, click data and ‘conversion’ data. This data is then sent to respective parties Ad Impression → Ad Networks Conversions → Advertiser So far this is just a duplication of what is naturally tracked by each party, ie just their own resources. The difference then is that this data is forwarded by each party to an attribution service provider (Google/Meta/Mozilla) who aggregates and returns conversion histograms to the Ad network: Ad Impression → Browser Function → Ad Network → Attribution Provider Conversion → Browser Function → Advertiser → Attribution Provider At first glance, this would nearly seem like any expected flow of ad data, but here the “Advertiser” seems to stand in for the Ad Network , working on behalf of the advertiser. Why? Because otherwise the owner of the site would need to manage the attribution selection and call along with then updating the Ad Network. So what realistically will happen? Ad networks will require JS pixels to be dropped on the advertisers site to manage the and attribution process. So the real process: Ad Impression → Browser → Ad Network → Attribution Provider Conversion → Browser → Ad Network (via pixel on advertiser site) → Attribution Provider Firstly, this mostly seems to be a fix for situations where Cookies are removed. How is this problematic for users? As a user I do not mind when an advertiser (eg Nike) tracks what blog I came from to Nike website. My concern is a Meta / Google that tracks every site I was on and went to. So in this way, I think advertisers and users should be aligned. Mobile attribution is based on device fingerprinting. While MMP companies like AppsFlyer (45% app market share) are not mentioned, there could be some potential for MMPs to work on behalf of an mobile advertiser to call and gather attribution from mobile web to app that is *not* just fingerprinting. AppsFlyer has recently released web2app which, despite the hype, has the usual probabilistic and short lookback windows for deferred deep link installs. MMPs would have a strong desire to move from probabilistic to something more deterministic. The problem? The usual, what’s always kept mobile and digital ad measurement separate. A WebView opened by the advertiser app does not have access to the device regular browser cookies. Given that mobile operating systems are run by the ad networks Apple and Google respectively, you could see this some change here if the browser Attribution API comes to pass. Still they would likely have a hard time carving out a space for MMPs to stay between the ad network and advertiser. The API has the potential to support small web publishers but the danger that this is simply co-opted by the ad monopolies to consolidate their positions is real. With the idea of browser tracking ads, why not move the whole process into the local browser, completely cutting out the server calls until a conversion is recorded? This is a popular idea but would add potential avenues for ad fraud where a can be called locally where the ad network ecosystem wide resources to realize this is likely a fraudulent impression would be lacking. I think there is room there for other fraud fighting models to help, but the obvious threat of this type of fraud will likely keep a completely local attribution model from being developed for now. This leads to the current W3 spec and where we are now. I see real positives and negatives to the suggested specs. I’ll be keeping an eye on it in the coming weeks to months (deadline is November 2026 for the working group to finish) and see how it develops, or if this gets added to the Privacy Sandbox graveyard.

0 views
James O'Claire 1 months ago

App Marketing: Free App Analytics vs all the “Free” paywall companies

When SensorTower acquired AppMagic earlier this week it got me thinking about why. AppGoblin and many other tools offer many free and open resources for what SensorTower and AppMagic charge thousands for. Take a look at the paid vs free vs free (but limited) of the various ASO and app marketing services out there. None of them are anywhere near as expensive as SensorTower. I think that SensorTower sees this coming and wanted to acquire their biggest competitor to try keeping it’s moat as “the” destination for app analytics.

0 views
James O'Claire 1 months ago

How many app SDKs did Publicis add with LiveRamp acquisition?

I decided to check AppGoblin to see how many apps LiveRamp had when Publicis acquired it for $2b, the answer seems to be ~300 mobile apps out of the top 200k apps. This is based on apps found with the LiveRamp SDKs. The apps also have a particularly, older vibe to them, looking at some of the larger apps we see apps like Flipboard, Badoo and Skout using LiveRamp. The monthly installs here are likely even too high, as they are still based on some adjustments Google Play made to install counts in April that boosted many apps’ lifetime installs. Looking at the trend of market share for LiveRamp , as AppGoblin has crawled more and more apps over the past year, the marketshare for LiveRamp seems to have remained quite small and stead at ~0.13%. There was a ‘high growth’ but it was at the beginning of the data period, so this is was unlikely to be a true high growth period for LiveRamp. Overall I was surprised that the LiveRamp data was so little, though given the name brand of some of these apps, perhaps the LiveRamp deal is much more about online sites than it was mobile properties.

0 views
James O'Claire 1 months ago

AppGoblin App Ecosystem Report 2026 Q1

The 2026 Q1 App Ecosystem Report is here with a special section for those attending MAU in Vegas this week. Ad Networks were led by Verve once again after its strong Q4 2025, with other notable breakouts from Snap Inc. , TaurusX , adjoe , and Moloco . Business Tools were led by small but super fast growing Luciq . PayPal also posted strong mobile growth, while emerging companies like AppHarbr stood out. In attribution analytics, growth was broadly healthy across the category and was led by Tenjin . Open source product analytics platform Matomo also looked great heading into 2026. One notable absence from the growth list was AppsFlyer , which has historically been one of the category’s largest and most consistent performers but saw a small down tick in tracked market share. For Development Tools, Divkit posted solid growth. The framework launched in 2025 and is backed by Yandex . Report is totally free and the raw data is available as a free dataset download for the top 1000 app companies / ad domains to see their quarter-over-quarter 2026 Q1 growth: https://appgoblin.info/reports/app-ecosystem-report-Q1-2026

0 views
James O'Claire 5 months ago

Receiving Unexpected Positive Signals from the Mobile Ad Tech Community in 2026

I just wanted to write a bit about some of the inbound good vibes I’ve been getting from other industry thought leaders in 2026. I’m not writing this to gloat, but just to take a moment in the new year to enjoy the mobile ad industry recognition that myself and AppGoblin are starting to pickup. In 2025 I started having journalists reach out to collaborate on mobile data projects and research using AppGoblin’s resources. AppGoblin has also started building more features which people in the mobile ad and app user acquisition find genuinely useful. Then this month in January after the latest AppGoblin mobile app SDK report I got an outpouring of direct messages and public posts about the value of AppGoblin’s data as well as the respect people have for me as a person. Especially posts from Warren Woodward of Upptic. Sometimes I have my head down working too hard, so I wanted to take a chance to enjoy some recognition and remind myself the value that being public with recognition of others can be really meaningful. Then this wonderful support from Guido Farji of X3M: This peer proof of my work lead directly to several other companies picking up the latest AppGoblin SDK analysis report and sharing it. I’m just thankful that 2026 seems like it’s starting well and looking forward to all the new mobile ad tech products I’ll build this year.

0 views
James O'Claire 6 months ago

Mobile B2B Trends in 2025 SDK Usage across 50k Apps

At AppGoblin we just crunched the top 50k apps in 2025 and their SDK usage over the year and the report has gained a lot of attention on the socials for mobile B2B marketers, so I wanted to share it on my personal blog as well to give some background for the report. Looking at the trends of for which apps added or removed SDKs gives insight into the trends fueling adtech, revenue services, mobile analytics, MMPs and more. In 2025 there were some clear winners and losers, so let’s look into it more. Some of the highlights: Moloco saw massive growth in their SDK clients X3M has been growing for a couple years but 2025 looks to have been a breakout year for them. FlareLane ‘s push notification SDK has a small base of apps but it’s growing rapidly. Superwall paywall SDK is gaining in popularity among big and small apps Airbridge saw a great boost in growth. Their MMP offering is growing rapidly. PostHog and Parsely saw great growth. These more business / developer focused analytics platforms are growing rapidly. Flurry saw big drops in their SDK usage. Some drops in usage for ad networks like LiftOff/AdColony/Mopub. Don’t be fooled, though Liftoff Mobile saw shrinking trends, it’s partnership/parent Vungle saw a healthy increase. This isn’t necessarily an issue as their older app clients are absorbed into Vungle. A similar situation can be observed for AdColony (Digital Turbine) and MoPub (AppLovin). The whole report & CSV is free on AppGoblin: https://appgoblin.info/reports/mobile-apps-growth-sdks-2025

0 views
James O'Claire 8 months ago

Where are All the AI Generated Native Android & iOS Apps?

I’ve been wanting to keep an eye on AI generated apps to see what kind of SDKs and libraries they end up using for AppGoblin’s massive resource of 100k+ apps and SDKs. So for the past year I’ve clicked/followed a few companies with the goal downloading the actual apps that get created. As I did my most recent rounds checking the “Examples” and “Showcases” I think I can say these apps are just not being delivered in that final native form . To be clear there are lots of web app demos, but when it comes to actual apps landing on the Play and App Stores I’ve found few to no clear examples. Looking for links to native apps in the various company communities/Discords I see a few reasons: As I was writing, this I’m reminded that the ‘native’ term is a bit ambiguous. Most of these companies seem to do Expo/JS related apps into native apps. For this article, I’m just looking for anything that has an app on an app store, as I’d like to later breakdown the use of Expo or other tools. fastshot.ai -> YC Backed, newer so worth giving them some time. Showcase is mostly empty with only one screenshot so far on Discord. a0.dev -> The site has a dozen very high quality examples of web apps. The links to them is to download their own app though. The only examples on the App Stores seem to be from July by the developers. replit.com -> Dozens of real examples of web apps but I couldn’t find any that had Android or iOS apps made by replit. Replit was quite early, launching in February 2024 so I think if there’s any examples this might be the easiest to find. could.ai / dashwave.io / gobuildmy.app -> These ones all have pricing pages but don’t even have examples or demo or showcase pages. I think we’re all coming to see that AI coding tools are good for rapid prototyping but struggling to deliver magic results . That being said, people are using these tools, likely mostly as prototypes and later transitioning to managing the apps directly. If anyone has used these tools and wants to share their apps please reach out. You can also request SDK scans of apps on AppGoblin for free. People are building proof of concepts, and like any project, as you get closer to the reality, the dream gets a bit less rosy. People are getting real value by actually implementing their ideas into apps and thinking through the actual use case. People once finished their app, do not want to publish the fact that it was vibe coded or used a specific company to build. The last mile, from fully working demo to production is hard for AI .

0 views
James O'Claire 8 months ago

PSA/Reminder: AI apps access your clipboard

Clipboard contents: I was reminded today that the Cursor app I’ve installed likely has access to my clipboard. After an SSH debugging session fixing a full disk I opened Cursor and without haven’t even touched this file in week it auto suggested the above function name and command.

0 views
James O'Claire 8 months ago

AI Companies are raising crazy amounts of money so why not use their free tiers?

While some people (my friends included) are out there paying $200 a month to OpenAI and Anthropic, I’d just like to share that if you need to save some money now is the time to cash in on the high valuations and free tiers that all the major LLMs provide. Every day I bounce between most major LLMs, maybe just Grok and Qwen a bit less. I use the browser tabs and usually have one for quick lookups / research, and another for the main larger task I’m working on. I find running in this style, it’s very hard to ever hit noticeable limits. Especially if you use one LLM for spammy quick look ups (ie “git cherry pick syntax”, where it’s basically just returning a quick one liner you forgot how to run). It’s always best to be skeptical of the AIs, so I often take the output of one and directly send it to another to check. This isn’t usually a big change, but it might catch issues and gives me time to read the code more closely as I think about how / if I will incorporate the changes. I heard this first from I think the CTO of Anthropic. And apparently the idea isn’t going away, but you can still get that flow from cheaper tools like Cursor/CoPilot for $20 a month. When I’ve talked to friends about this, they’re ‘sure’ they’re maxing out or using it to it’s fullest, but I have a sneaking suspicion that if they were to try a cheaper / free tier setup they would probably be mostly fine. So, if you have the money and enjoy it, continue on, but if you’ve been looking for a way to save $200-$180 a month, try the free tiers, they’re really just as good. At $200 a month for two years you could buy yourself a homelab PC and a graphics card and run models locally.

0 views
James O'Claire 8 months ago

How creepy is the personalization in ChatGPT?

I’ve been pretty cavalier with using AI. I think once I got used to not fully trusting it’s truthfulness, and instead using it like a teacher that I question and verify. But this past month I’ve been getting more uncomfortable with the answers. Especially ones that I can see are digging up little nuggets of personal information I dropped in over the past year: This is something I’ve looked up half a dozen times. I’ve never used it, debated with friends multiple times it’s usefulness vs SSH. So when I put in the short prompt, I was more just wanting to revist the main talking points in the Tailscale vs SSH debate I’ve had in my head. After the main response, it provides this personalized summary and drops this little nugget of my personal life in, that I do work on my parent’s solar powered off-grid home where I visit a couple times a year. I can’t put my finger on why this bothered me so much. I’m proud of my parents house, I’ll tell anyone about it. I’ve certainly mentioned this to ChatGPT, I definitely used it last year when I built a new solar array for my parents. You can see the picture below building the new one with the older panels I built 12 years ago in the back. So why would it bother me so much? Was it the cognitive dissonance? I’m thinking about tailscale, and it is talking incorrectly about my parents who I miss? Is it that it dug up information about me from a year ago that I forgot, or never really thought about, that it would remember? I mean obviously, I’m on their website, they have my IP. But ChatGPT brings up my location like this fairly often, I think any time I mention a prompt about a product, which I do oftenish as I’ve been curious about how they’ll handle the advertising / product placements. That being said, something about the way it brings up the location, again feels off putting. DuckDuckGo and Google will use IP based location all the time and I’ve never been too bothered by it. But there’s something about the way ChatGPT brings it up, oddly mixing “look up pricing in” with the later “here” as if it’s here with me. Just definitely getting bad vibes. Chunks of code I copy paste into a git repo is like a little fingerprint that can always tie that code back to a moment in time I talked to that instance of OpenAI’s ChatGPT. Little chunks of me that I type into the background of my prompts tie more of my life to ChatGPT, and in ways that it will never forget. I’m not sure what the answer is yet. Maybe OpenAI will smooth out the awkwardness of how it will always remember, if it wants, everything you’ve ever typed to it. My hope is that open local models will become efficient enough to run locally on laptops or small home PCs and deliver private AI chats, but that seems like it’s far off for small budgets.

0 views
James O'Claire 9 months ago

Self hosting 10TB in S3 on a framework laptop + disks

About 5 months ago I made the decision to start self hosting my own S3 . I was working on AppGoblin’s SDK tracking of the top 100k Android and iOS apps so was wanting a lot of space, but for cheap. I got really lucky with getting a second hand Framework laptop. The laptop was missing it’s screen, and was one of the older ones, so it was perfect for a home server. In addition I bought a “just a bunch of disks” JBOD. The framework laptop is running ZFS + garage S3 . I’ve been away, I’ve been working, I’ve been busy, and I’ve definitely been using my S3. But I hadn’t thought about the laptop in 4 months. When I finally logged in, I saw I’ve used 10TB of space and it was patiently waiting for a restart for some upgrades. I nervously restarted, and was so relieved to see everything come right back up. I also saw a pending upgrade for garage v1 to v2. This went along without a hitch too. Feels like it’s been a good weekend. Just so you know, I understand my use case for ZFS is possibly a bit non standard as I’m using a USB to connect the laptop and JBOD . This initially caused me issues with ZFS when garage was heavily reading and writing (the initial setup had the SQLite metadata also stored on the JBOD/ZFS). I moved my metadata to the laptop, which has so far resolved any ZFS issues again.

0 views
James O'Claire 10 months ago

Contabo Defaults Encourage Using SSH Passwords

I recently started helping a less technical friend and had my first chance to see/use Contabo VPS. I’ve been really surprised at their default security practices so far. Contabo’s default VPS creation seems to be root user and password? If you go to “Advanced” the default is to create a user called “admin” (good!) and has the option for a public SSH key. Our new server, that barely any bot knows exists, already gets 350 failed password login attempts an hour. Worse, these bots can see that password login is enabled on our server, meaning they know they should keep trying. 350 password requests an hour on a strong password isn’t much, but eventually more bots will realize our IP is using passwords and try more. Eventually after copy pasting around a password enough some compromised browser plugin / discord plugin etc will capture the password and put it in a list. Contabo “knows” this, even if they don’t practice it: https://contabo.com/blog/how-to-use-ssh-keys-with-your-server Conatabo is bad that they encourage you via their defaults when setting up the VPS to use SSH password. They went out of their way to do that, likely to not put roadblocks up for new users, but it’s bad security. When we hit an issue we contacted Contabo support. They asked us to copy paste our password so they could help troubleshoot an issue. While I appreciate that level of support, assuming users have a SSH password and asking them to email it seems crazy to me. Now there is a record on both our email providers of that password and IP. 1) Use pub/private SSH keys. We can copy/paste public keys anywhere we want, super safe. 2) Make future servers with a user other than root and disable login with root. Root user has special login privileges (allowing SSH to get hammered). And in the future, I’ll complain a bit less about DigitalOcean/AWS/GCP.

0 views
James O'Claire 10 months ago

Mobile Trackers your Ad-Blocker Doesn’t Know About

This is the full list of the main API endpoints that apps send data to. This is across ~70k android apps and the smallest endpoint has about ~90 apps that send data to it, meaning it’s unlikely to be an app developer’s domain. Then I checked whether these domains were in any of: https://github.com/StevenBlack/hosts , https://easylist.to/easylist/easylist.txt or https://easylist.to/easylist/easyprivacy.txt . I was surpised how many were NOT in any of the lists, over 1/3 at 127 and individually the blocker lists only had about 1/3 of these domains. I’m not currently going to open PR tickets for these domains, as the scale that I collected these at could easily contain some perfectly acceptable use cases. I’ve tried to remove those that I recognize as acceptable so far. Here’s a Google sheet of the same data (feel free to leave comments).

0 views
James O'Claire 10 months ago

Contabo Private Networks are a Pain

I recently started using Contabo VPS’ while working with some friends and at some point we decided we wanted to use local networks. On all other major cloud providers this is free, faster and encouraged to send data over the private local network rather than across the public internet when communicating with two instances. Contabo? It costs $1.50 USD per month per VPS to add them to a private network. Ok, that’s a a surprisingly high amount compared to free / encouraged. So let’s just do it right? Wait! After having signed up two servers, both require “reinstallation” AKA they require being completely wiped and remade. Thankfully, these are not old servers, they’ve all been setup in the past couple weeks, but wow Contabo is prettty painful:

0 views
James O'Claire 10 months ago

The 300 Most Common Android Data Endpoints (and the Companies Behind Them)

Last week I wrote a blog working through a few unknown endpoints. My goal was to bring some attention to these lesser known end points where many apps send their data. This post is split into two sections. The first at the top here are endpoints that do not have landing pages and have not been tagged. The second is my full list of the top 300 endpoints called by Android apps and the companies that own them. Where did this data come from? I’ve been collecting this data with AppGoblin and all code is open source. I’ve been running ~60k apps in an Android emulator with ~50k successfully run, I’ve been mapping each endpoint called by the apps when they are open for 1 minute. This means most ad networks and analytics are well represented as they often load on start. Here is a Google Sheet with the same data. The data may be updated for correctness today, but I will not keep it updated over time. For up to date mobile ad data check AppGoblin in the future. Here is the full list. Note there are some untagged end points here such as the IP geo tagging ones or large app publishers that I have not tagged yet as I was unsure how to categorize them.

0 views
James O'Claire 10 months ago

Uncovering Lesser Known Mobile Adtech Domains

AppGoblin has now run over 40k apps in an emulator, tracking millions of API calls thousands of advertising domains. Unfortunately, some of them are dark, meaning they have no landing page of any kind, and I’m unclear who controls these domains. Let’s see if we can figure them out! This one is a mystery. Seems like it’s related to Germany since it’s always resolving to HETZNER and german IPs. Checking the shared IPs, it looks like they do overlap with unity3d.com domains sometimes. Again, this whole list is games. Looking at the requests I can match various keys to values from untiy3d.com API calls! Specifically they share the same `app_key` values. Well that name definitely comes off as esoteric at first. First let’s check the IP cluser and see what we find, of the 233 apps sending/receiving from acobt.tech we have 4 other sites with 1:1 matches that are all sites that do not have any landing pages. acobt.tech 233 news-cdn.site 233 inmense.site 232 kickoffo.site 232 Searching the internet shows various hits saying some of these belong to Bigo Ads . Let’s check the apps’ SDKs and see Again we got lots of games, and looking it looks like AppGoblin has indeed already found that each of these has a Bigo Ad SDK . Wait, this one also matches the IPs for the other various Bigo Ads. Seems like Bigo really uses a lot of random domains? OK, great name. This one appears in clusters of SDK advertising, making me think it’s related to a mediation SDK of some kind (rather than to one specific ad network). Possibly this is bidmachine.io’s as it is the most common, but really all the top ad newtorks appear nearly 1:1 along side it across the 276 apps I’ve found it in: bidmachine.io 275 unity3d.com 270 doubleclick.net 269 mtgglobals.com 267 rayjump.com 267 applovin.com 261 vungle.com 257 Definitely game focused list here. They almost all call variations of Looking around there are lots of examples of shared IP addresses with everestop.io and bidmachine, so I think that might have solved that. everestop.io 172.240.40.172 bidmachine.io 172.240.40.172 bidmachine.io 204.74.252.252 everestop.io 172.240.61.171 voisetech.com 34.216.198.39 Looks like a lot of the apps have the and SDKs, so I’m thinking that `lazybumblebee.com` does indeed belong to BidMachine and helps it with some app mediation service. is just the kind of generic descriptive name I’d come up with. Example apps, there are a lot of very corporate apps in here along with lots of shopping. Each app sends off two API calls on start to a unique (per app) subdomain on marketingcloudapis.com with the response from the first API call below. The information sent seems somewhat bland compared to the usual deep scraping that advertising SDKs do. So this is likely paired with other API calls already going out. Checking on domains that are called together, it looks like this is almost always called with so possibly this is related to Google, but this is a bit weak as a lot of Android apps have integrations with Google. EDIT: I posted this on HackerNews and user politelemon correctly identified this as SalesForce . Very awesome spot by that user, and it matches the various AppGoblin SDKs for each app as in this example for the Adidas app SDKs . Much better than I expected. A bit of digging and all the URLs were figured out with the exception of marketingcloudapis.com which I was a bit unsure of, but looks like google.com Woodoku – Wood Block Puzzle Draw Climber Spider Rope Hero: Action Game Running Pet: Dec Rooms Bubble Shooter 2 Pirate Treasures: Jewel & Gems Tik Tap Challenge Collect Em All! Clear the Dots Gun Simulator & Lightsaber Pizza Ready! Sculpt People Vita Mahjong Modern Bus Simulator: Bus Game Gym Heros: Fighting Game Blockman Go Going Balls aquapark.io Snake.io – Fun Snake .io Games 1945 Air Force: Airplane Games adidas: Shop Shoes & Clothing Claro música Domino’s Pizza USA SiriusXM: Music, Sports & News GasBuddy: Find & Pay for Gas

0 views