When a porn site masquerades as the Apple App Store

The next time you think you’re buying an iOS app from Apple’s online store, be warned: it could be a lookalike site. Recently I was redirected via an ad to an Apple-spoofing site at Badoink. As you can see in the screenshot below, their web page looks deceptively like the (old) App Store. It took me at least 10 seconds to realize what happened. You can imagine that some people might fall for this.

Badoink apparently is one of the more popular adult streaming services. The company charges up to $30 a month for access to what it claims are “55,000+ DVDs” that can be streamed or downloaded. Badoink mimics the App Store in every detail: they have a buy button that changes color, along with swipeable photos that depict their webpage in an iPad frame (notice the URL bar)

The funniest part of this spoof is the rating and user comments part. Not only did Badoink give itself only a 4 out 5 rating with 27,485 “user ratings” but they also wrote hilarious fake user comments, as you can see in the screenshot below.

So what happens If you try to buy this “app”? Well, they resort to the good old “adult verification” trick and make it look like an iPad warning (see below).

If you click okay, they’ll display their subscription dialog that invites you to either pay $1 for a day or $29.99 for the month.

There’s a reason, of course, that Badoink made a web page mimicking the App Store: Apple is notoriously sensitive about pornography and isn’t about to let an app described as “super hot and hard-core” through the door. Apple’s guidelines say: “Apps containing pornographic material, defined by Webster’s Dictionary as ‘explicit descriptions or displays of sexual organs or activities intended to stimulate erotic rather than aesthetic or emotional feelings’, will be rejected.” Even photo-sharing apps, like 500px, have run into trouble. For porn producers, the solution for iOS has been web apps, and a “sex app shop” (NSFW) and pornwebapps.com have appeared.

The takeaway of this blog post is that it is always worthwhile to take the time to check if there is a url bar and which domain it displays when you see something unexpected. Remember on the Internet the clothes do not make the man.

About: Elie Bursztein
I lead Google's anti-abuse research and invent new ways to protect our users against cyber-criminal activities and Internet threats. I recently redesigned Google's CAPTCHA to make it easier, and made Chrome safer and faster by implementing better cryptography. I was born in Paris, France, wear berets, and now live with my wife in Mountain View, California.
Comments are loading
About me
Lead Google's anti-abuse research. Develop new ways to protect users and disrupt bad guys. Make Chrome safer and faster. Help keeping G+ and Gmail clean. Wear berets. Do magic tricks.