Development of Iframe applications on VK API. From the first cones to the two millionth audience

Hello, in this post we will talk about how I created the Iframe application in a well-known social network. The post will be more narrative than informative, although I will try to answer many of the questions that put me in a stupor at the initial stage.

I got acquainted with the Contact API relatively recently. Then it seemed to me terribly complex and ambiguous, with a minimum of explanations and a complete lack of examples of use. Now, pulling up knowledge in javaScript, I have absolutely no difficulties. On the contrary, it is even pleasant that the developers in many ways thought for me.

Working with the javascript API Vkontakte just to disgrace. You just need to connect the xd_connection.js file, initialize the VK API, and make requests no more than three times per second. It is also worth noting that, without any requests, Vk sends many necessary parameters to the Iframe as a flashVars object. From it, you can pull out the user id, a token that simplifies user authorization on a third-party server, the interface language, and other usefulness .

First went

')
With the first application, I decided not to split hairs and do a psychological test with the subsequent posting of the result on the wall to the user. Perhaps many now say fu and will not continue to read. Frankly, I myself am not a fan of all this shamanism with psychoanalysis and astrology, however, as it turned out later, such applications quickly gain an audience. But the tests were the sea, and it was necessary to come up with something flattering that would intrigue the users and encourage them to share the result on their wall. And I decided to make a test for psychological salary. You need to answer a few simple questions, after which the application suggests placing an entry with the result on your wall. It is called " What kind of salary do you deserve? ". At the moment he has 1'700'000 installations.

It took me three days to create. And 90% of the time was spent forcing the posting on the wall to work. A simple algorithm, based on the selected answers, calculated the result, sent a request to the server that generated the image (used the text to overlay the image using this class ) with the required salary and uploaded it to the server.

Important: do not forget in the settings of the application to choose which personal information you need access to. In other words, what you will request through api, otherwise Vkontakte will not give you this information.

Post looks like this:



I decided to add a zest to the application and at the end I made a calculation of how much and what you can buy for your “psychological” salary.

Moderation

When the application is created and enabled in the settings, it can be launched via a direct link by any user. In order to get to the search and directory, it must be moderated. To do this, leave as a pledge 10 votes (local currency VC) and wait. Very often during the first moderation, the answer from technical support looks like this:

Attention: to clarify what exactly the moderators did not like with this answer will not work. You will be politely told that they do not give such references.

In rare cases, technical support rejects the application and immediately tells you what needs to be corrected and even sends a screenshot. Most likely, they have some sort of checklist with which they check applications. My situation was saved by the addition of the “about application” button, which bears absolutely no meaning, however, after its appearance, the application was finally approved. The pledge, by the way, was always returned.

Important: for the correct operation of the application without an SSL certificate is necessary. Otherwise, the application will not open via https and you will lose half of the users. Self-signed certificate is not a solution

Takeoff

The case is left for small. A friend involved in groups made several advertising posts, and then the application broke off as a chain:



For a week, attendance in itself jumped to 125 thousand a day. Frankly, I did not expect such a load, so I had to even rent a server more powerful. Inspired by this success, I did a few more tests on the finished platform. they scored 1'300'00, 300'000 and 100'000 thousand installations today. I see no point in talking about them, they are similar.

The first rake that I stepped on was the php log file, which grew to 800GB . This happened due to several notice level errors that were logged each time the user passed the test.

Interestingly, in the first month of existence, the test was popular with older audiences (25+), but a month later, schoolchildren seized the initiative.

For the sake of curiosity, I added the following question: “Do you think the dollar will rise in price tomorrow?” And began to keep statistics on it in order to predict the exchange rate by the mood of the population. But it never came to this, so if anyone is interested, I can provide a database for analysis.

Change the course

With all the virality of the tests, they have one big drawback - a small return to the audience. For the second time, units will enter this application. So I decided to make a game. More precisely, I took the game 2048 Gabriele Cirulli as a basis, then nobody knew about it. Despite the fact that the game opensource, I still asked permission from the author personally.



Having received a positive response, I set to work. A few days later, a game called " Stacker 2048 " was moderated.



Suddenly, the second rake appeared. The next morning, the application was hacked by the simplest XSS attack. The fact that user data can not be trusted, then I simply did not know. The schoolboy substituted the script instead of his name in the list of “Top 100”, as a result of which abusive alerts did not allow players to do anything. In the process of plugging holes, I became acquainted with many types of tricks that juvenile Robinhood hackers are capable of, who, after making a mess of it, wrote to the PM that it was me because I stole the game. I filled up the holes as they appeared. There were SQL injection and CSRF vulnerabilities. Once I demolished the entire database. Someone even tried to put the server with the generated pictures, supplying a random string to the file generator 10 times per second. Now, having stuffed the cones, I use the token and sessions for each user, transfer all the POST data with the request, attaching a hash of all the transmitted data, which is checked on the server. Since then, nothing terrible, fortunately, no longer happens.

The raked number three became the generated pictures. If for 2048 the number of points for many users is the same and it is easier to store pictures with the results than to generate them again each time, then for tests the outcome is always different and there are a lot of pictures. Therefore, you have to use the Cron scheduler to clean the folder with pictures every 10 minutes.

At the moment, 180,000 people play in Stacker, and the user return rate is very high.

For Vkontakte games, there is a special starting traffic injection - adding an application to the category of new ones, to the very top. It costs 1000 votes, while waiting for a month and a half in the queue and be sure to have in-app purchases in the app.

Monetization

As soon as attendance went uphill, I seriously thought about monetization of my applications. There was no particular choice, since there are not so many affiliate programs working directly with Vkontakte. I stopped at the preloader, which shows a short promotional video every time you log into the application, if the user falls under the target audience. This is about 60% of the entire audience. And advertisements in the style of those that contact shows itself. With the current attendance, the income from my four applications averages 2000r per day. To track attendance, I made a separate page, on which, using HTML canvas, I display the graphs of user activity.

Afterword

For me personally, such independent earnings became a breakthrough and an excellent incentive. The more I do applications, the more ideas I get. I plan in the near future to develop something more serious. I hope this post was useful and interesting.