Home/ Questions/Q 8552519
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-11T14:26:28+00:00

I’ve developed an app that allows users to upload some photos and share them

  • 0

I’ve developed an app that allows users to upload some photos and share them on Facebook/Dropbox/Twitter etc. Recently it went live in the app store.

However, I’m having a problem now: a bot is creating accounts and uploading many photos on my server. I’ve temporarily disabled the app, but now I’m looking for an efficient way to prevent this bot from doing this.

The bot’s ip address is changing very often so it’s impossible to block the ip. He creates accounts with a very realistic name and email address so it’s hard to find out which users are real and which are created by the bot.

I was thinking of using a captcha, but I’m not sure if my app will be rejected by Apple if I implement this. I’m preferably looking for a way so I can prevent him from doing his work and so I don’t have to resend the app to Apple again.

Could anyone give me some advice on what I could possibly do?

Thanks!

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    This is how I solved a similar problem:

    I implemented a token-generator, which generates a one-time token for every single data transfer with the server, so even one for login-data, sending a file etc. This token is generated by a secret algorithm and can be verified server side, since you know how you generate one.

    After one token is used, put it in a temporary list for the next X minutes/hours/days (depending on how many data transfers your server can handle). When a user tries to send data with a used token (i.e. the token matches one in the “banned” list), you can be sure that someone’s trying to spam you -> mark the account as “spammer” and decide what you wish to do.

    The algorithm must produce a different token each time (the best way would be a one-way hash), but you have to assure specific “properties”, with which you can proof its authenticity.

    So one very simple example:

    Your algorithm in the client is generating a number between 1000000000000000000000 and 99999999999999999999999, this number is then multiplied with 12456564 and incremented by 20349.

    The server becomes a specific command and data, and the generated token. Now it checks, whether (number - 20349)%12456564 is 0. If it’s 0, it was likely generated by your “secret” algorithm.

    It’s a very basic example but you get the idea…

    • 0