While Vine, Flipboard, and Path have all promised Windows Phone 8 support, one particular app is still missing: Instagram. Nokia has tried to pressure Facebook into building an Instagram Windows Phone app, but so far users have had to resort to third-party applications. Instance, a popular unofficial Windows Phone Instagram app that supports viewing and uploading of Instagram photos, appears to now be blocked from using the photo sharing service. The application reverse engineers Instagram's own API to bypass and upload pictures to the service unofficially.
Daniel Gary, the developer behind Instance claims that Instagram is deleting images after they're uploaded to the service using the third-party Instance Windows Phone app. During our own tests we've been able to confirm that photos do indeed upload to Instagram from the Instance application, and are visible on Instagram's website if you're logged in using your own profile. After just seconds, the photos disappear from an Instagram account and the URLs to access them no longer work. On one Verge staff account, a photo uploaded last week using Instance is no longer visible publicly for others to see, but is still stored under the account.
It appears that Facebook is tracking uploads from the Instance app, and perhaps other unofficial Instagram apps, and is actively deleting user content. The change comes just days after Hipstamatic Oggl launched for Windows Phone, providing Instagram upload support but no viewing capabilities. Gary was previously forced to change the name of his application from "Itsdagram" to Instance, and we've reached out to him for comment on the removals. We've also contacted Facebook to comment on the content removals, and we'll update you accordingly.
Update: Instance developer Daniel Gary has confirmed to The Verge that Instagram appears to be "detecting when photos are not uploading via the official app." Gary says he's working on a fix, but that the problem is affecting all users of Instance. "It’s their servers, their service. What I was doing was not approved by them and was using their private API," he says, noting that he doesn't blame Facebook for blocking the app.
Update 2: An Instagram spokesperson has confirmed that the company has implemented a recent change to its API. "We recently made an update to the systems that we use to fight spam to help prevent future attacks and increase security," says a spokesperson. The change will affect any apps accessing Instagram outside of the official API, and it appears to be a broad change that doesn't target any particular application. 6tagram, another third-party Windows Phone Instagram client currently in beta, is also experiencing issues.
Update 3: An Instagram spokesperson has confirmed the "update does not specifically target any particular app or platform." The API appears to have been updated again, as Instance users are reporting that pictures now successfully upload to their accounts, but that they're blocked from view to other users.
Comments
holy shit.
By timcrook on 07.30.13 7:03am
Completely trivial to bypass with an app update. There is no way of identifying an equivalent app from a remote connection when you have to original app to analyse and copy properly.
By KurianOfBorg on 07.30.13 7:25am
Instance’s dev doesn’t find it that trivial though:
By CreepyDroid on 07.30.13 7:29am
wouldn’t the image data have something about WP in it? Like, from the camera? idk maybe they are using that. No idea how this stuff works.
By seangt on 07.30.13 7:38am
Thats a point, but I’d hope he’s stripping/modifying EXIF data. (at least to test)
By Popher on 07.30.13 7:39am
Maybe. Tweet that to him, it might help.
By CreepyDroid on 07.30.13 7:40am
actually that doesnt make sense because hipstamatic photos are allowed….and they would need to differentiate on the app level. So they must know it’s specifically instance somehow.
By seangt on 07.30.13 7:43am
Because Hipstamatic most likely pay a fee to Instagram to be able to publish to their service, whereas Instance obviously doesn’t.
By VoxMediaUser622334 on 07.30.13 7:49am
I’m purely talking about the mechanics of the blocking. I meant it wouldn’t make sense for them to be blocking photos taken from all WP devices because hipstamatic lets people upload.
By seangt on 07.30.13 7:51am
Maybe HM masks the EXIF with their own name or something.
By VoxMediaUser622334 on 07.30.13 8:04am
Well it’s easy actually ;
- Select all WP pics (EXIF data)
- Deselect Hipstamatic ones (as they can be tracked)
- Delete?
By osman.kalkavan on 07.30.13 7:50am
ooooh. maybe. that’s a good one.
By seangt on 07.30.13 7:51am
except instance does not leave any exif data nor does instagram when you upload to their server. I just tried uploading an image downloaded from the internet with no exif data (as far as I know, WP does NOT write any EXIF data on downloaded images) and it deleted it as well. So it’s not an issue with exif data. I insist, Daniel Gary must be doing something wrong in his code.
By barttool on 07.30.13 7:53am
Might be – I was just trying to guess along with you people.
By osman.kalkavan on 07.30.13 8:04am
>delete from hipster_pics where phone_os=‘windows phone’ and app!=‘instagram’ and app!=‘hipstamatic’;
By 2kilobyte on 07.30.13 10:20am
Code Fail … He is not uploading directly thru windows phone he is using an android virtual machine in the cloud so your code would have let it right through before even checking the app conditions ..
By kooksta on 07.30.13 10:22am
I don’t like you…
By 2kilobyte on 07.30.13 10:33am
Hey .. you throw stones and don’t expect anyone to pick them up? No offense to you directly ..
By kooksta on 07.30.13 10:35am
what?
By 2kilobyte on 07.30.13 11:10am
That’s Instagraph.
By huminger on 07.30.13 12:29pm
I’m wondering if Rudy is having the same issue on his instagram app, he hasn’t said a word about 6tagram on twitter since the tweet about instance
By handyman227 on 07.30.13 10:34am
If Instagram were smart, they’d be embedding timecode-encrypted authentication strings into the content of the images themselves, not just in the header. It’d be impossible to find, even if you searched for common strings across authentic Instagram images unless you knew the encoding mechanism.
By ElementFire on 07.30.13 2:08pm
…until someone extracts the encryption key from the app.
By The Vergil on 07.30.13 7:03pm
If you control an API you know the statistics about it, how it works, what it’s not sending back correctly. Any incorrect calls made by a third party application can easily be logged and masked as exploits.
By bokonon on 07.30.13 8:39am
“Completely trivial to bypass with an app update. There is no way of identifying an equivalent app from a remote connection when you have to original app to analyse and copy properly.”
That’s technically true. However, if they implement any kind of protection in that app that could be interpreted as DRM or “copyright protection”, then reverse engineering or circumventing that protection by itself could be considered illegal in most jurisdictions. So a legitimate app couldn’t rely on such (illegal) means, and thus could be successfully stopped from accessing the service, by legal means.
That said this is why the “fight spam to help prevent future attacks and increase security” is nothing more than just BS. Because obviously only legitimate apps can prohibited this way, and the bad-behaving ones – like those that would be used to spam or security exploits – can not, because this is not a technical hindrance.
Obviously the real reason behind banning 3rd party clients is that they obviously are looking into monetizing the service (in the client), and if there were any 3rd party apps additional to theirs, the uses of said apps could escape that monetization strategy – whatever that would be.
By FF22 on 07.30.13 12:23pm