How Schedugram works, and why we use real phones to post for you

Every now and then there’s suddenly attention paid to how we work, which is great because it’s pretty unique and old-school!

As the founder of Schedugram, I welcome the opportunity to explain how we’re different and why we chose to do things the way we do, and call out some of the rubbish our competitors sometimes try and paint us with.

How can you schedule posts to Instagram?

There’s 3 ways of posting or scheduling content to Instagram (other than just doing it yourself of course). They are:

  1. Notification apps [you do the posting]
    These apps/platforms send you a push notification to your phone when it is time to post your post(s). You then open the notification, make sure you are logged into the right Instagram account in the Instagram app, and it pre-fills the image and caption for you to post it yourself.
  2. Posting with phones [posts for you]
    This is us! We post just like you do on real phones. When it’s time for your post to go live, we login to the Instagram app, choose the image you selected, type the caption you entered, and upload the image or video.
  3. Using the ‘private API’ [posts for you]
    This is the third way of posting to Instagram. It involves carefully observing how the Instagram app sends content to Instagram, and then “mocking” that API (application programming interface – essentially the set of web URLs that the app uses) to act like you are a real phone. Often there is all kinds of techniques used by the app provider to make this tricky, like using special keys to encode images or captions.

Let’s have a look at each type in a bit of detail, starting with the things that we aren’t first.

Why it’s a bad idea to use the ‘private API’

As you can guess, the private API is a bit of a sneaky way to post to Instagram (some people call it “hacking” Instagram which isn’t quite correct, but sure, whatever works!). It’s obviously not what is intended to be the way that you schedule content to Instagram, and is explicitly forbidden in their terms of service:

Don’t reverse engineer the Instagram APIs or any of Instagram’s apps…You must not access Instagram’s private API by means other than those permitted by Instagram

Now that doesn’t mean necessarily that your account will get banned or anything like that. Done perfectly, nobody could tell the difference between this kind of service and the official Instagram app. Some people happily use these services despite knowing they don’t quite meet the terms and conditions, and that’s their choice.

Using techniques like this is how the many auto-like/comment/follow services work as well (as the official Instagram API would never allow you to do that) – notably, the biggest of those services (Instagress) closed down recently. Interestingly, not every account that used them got deleted though (or any when it shut down?)… a lot of people have lamented the loss of Instagress and/or promoted it while it was live but still have their accounts. There’s a now-infamous blog post from photographer Sara Melotti about some of the tricks people use/used, including Instagress.

At team Schedugram we think shutting down these services is great, because Instagram engagement should be authentic and real, not bots commenting or liking stuff. That’s why you will never see Schedugram offering any kind of auto like/comment/follow feature – firstly, it’s pretty spammy regardless of what’s permitted, and secondly, it’s not allowed.

There’s also terms that you can’t use the official Instagram API to do automated likes/comments/follows. That’s kind of irrelevant to posting stuff to Instagram, and as above, we think it’s a totally reasonable thing (and of course we comply with that requirement, as we don’t use the private or official API to post for you).

Of course, the risk that one of these services is not “perfect” in how it operates is non-zero. Maybe Instagram changes something instantly across their app to test what is working and what isn’t, but really it’s mostly a case of chasing their own tail – the operators will re-reverse-engineer the new way of working and then mock it again. But in the meantime, it’s possible your account gets flagged as using a not-official method. Most likely though (IMHO) they’ll just get progressively shut down by Instagram without any real consequences to their customers.

When notification apps are fantastic

We’ve always been of the opinion that notification apps (like Later.com, Hootsuite, Sprout Social, Buffer, Coschedule, the list goes on) are great for certain types of customers. Those tools are typically cheaper than services like ours, because we have far more complicated infrastructure requirements in order to be able to post for you.

If you only manage one or two accounts and post during the day (and you’re happy to be near your phone when you are planning to post), it might work fine. But as soon as you start having multiple people managing the account(s), or more than a couple of accounts, it starts becoming really time consuming.

You still save time compared to doing it all by hand, but the time saving can be very marginal as there is still a lot of manual work involved. To use the data that we know well, even optimised as well as we possibly can, it takes around 2-4 minutes to post something manually, before you consider the time checking if you are signed into the right account.

So it’s a trade off, but for some people/businesses it will be a better option than Schedugram, which is totally okay with us.

How Schedugram works: just like hiring a staff member!

Then there’s how we work. We work the same as if you hired a new staff member to look after your account. When it’s time to post, we login to your account, post the image or video you have asked us to post, then log out again and move on to the next image/video.

We use a real world phone. The models we currently use are HTC Desire 730’s and some Motorola Moto E’s (many are now deprecated as they had a high death rate). We literally go through and open the Instagram app, click the login button, type the username/password, pick the image etc. There’s a big ‘wall of phones’ in our office (see photo at the top) which does all the posting. We don’t use the private API (or any API for that matter) to post, we use the Instagram app.

The only difference between us and a staff member is that unlike a person, a computer coordinates the clicking and typing (no, we don’t have some kind of slave army of people on phones). But otherwise, it’s the official latest version of the  Instagram app on a physical phone.

From the start, we implemented a lot of strict rules to make sure that we don’t add to noise on Instagram. We want Instagram to be a great community just as much as our customers. For example:

  • We still review and check every single account that gets added to Schedugram against our account requirements, which go above and beyond the Instagram community standards. We probably reject around 10-15% of accounts added to our service for being not family friendly, promoting illegal content, breaching copyright standards or just … bad content.
  • We restrict customers’ posting so that they can’t post 50 things every hour and spam the hell out of their followers. That’d both be an easy way to have followers leave you and to have Instagram come and rap on your shoulder.
  • We don’t let people just repost the same content over and over (despite being a common request, and pretty easy to implement) because that’s starting to look spammy. Ditto with using the same caption every single time – would you want to follow an account that used the same image or caption all the time?
  • We monitor our error rates to identify customers with really high error rates, which can be associated with low quality content. We reach out to those customers and if they don’t clean up their act, we boot them off our platform.

I suspect you will find that given the above, the ‘notification apps’ will be the ones that have had accounts deleted from using them, because anyone can use them. One of the ads I saw for an article going around talked about ‘hundreds of accounts’ being deleted this week, which I didn’t even know occurred – neither us nor our customers were affected.

Posting using real phones comes with so many challenges it isn’t funny. It’s a story for another day, but when I was first looking at how to solve the ‘Instagram scheduling problem’ back in late 2013, my housemate suggested I post using real phones. I told him that he was crazy and it was the dumbest idea in the world, because of how hard it would be to do accurately and scale as you brought on new customers. But he still gets the last laugh when we catch up.

I often tell people (as the founder of Schedugram) that for the first 2 years of our operation, I pretty much didn’t sleep and spent the whole time learning to write the right kind of error management systems for posting to Instagram. While it’s a little exaggerated to say that, it’s not entirely untrue.

Given the work that went into it (and still does), I get a bit pissed off when people lump us into the same category as services that just reverse engineer Instagram’s ‘private API’, as it would probably be a lot easier to do and involve far fewer sleepless nights. Regardless of your belief of different levels of risk that they might or might not present, acting like we’re the same is a pretty uniformed and over-simplified way of promoting your own service. At the same time, when your competitors start spreading mistruths about you, it’s usually because you’re winning market share from them 😉 . Old school sales tactic #1.

To this day, I’m still proud that we still have customers who took a punt on us back in January 2014 when we first launched, and continue to use our service today. I’m sure they would agree that our service is a lot better these days than it used to be, and their feedback is what has guided the product to where it is today.

The downside – we need a password

But there is a downside – we need your password to post, just like a new staff member (or hiring an agency) would. Unfortunately unlike Facebook, there isn’t a way (yet) to delegate the ability to login to your Instagram account so that someone else can post for you without having to share the password.

Of course, we use a range of methods to protect your password – I’ve seen situations where social media passwords are kept in things like Google Docs or in an unprotected Excel sheet on a shared drive, and we do a lot more than that to keep your password as safe as possible. It’s worth keeping in mind that the most likely way someone will manage to get into your Instagram account will be through guessing the password if it is obvious. As we’ve written in the past, having a secure password is vital, and certainly don’t make it something like ‘Account123’ or ‘password’.

But Schedugram also means that you potentially don’t have to share your password with anyone else to post for you (internally or otherwise) – you can use Schedugram to be able to share access with other team members, who get their own individual logins and never see the actual Instagram password itself. So it’s a bit of a double edged sword – no matter which way you look at it, you need to share it with someone.

We also have trouble logging in sometimes

As you probably experienced when you first added your account(s) to Schedugram, the fact that we login to post for you also means that we can sometimes have trouble logging in. This occurs more often when suddenly there are new ‘locations’ logging into your account – we have had instances in the past for example when a customer has flown overseas and opening the Instagram app causes everyone to have problems, including us and their staff back home.

Luckily most of the time this is just a one-off security check, and after that we don’t have any issues. In a lot of ways it’s a good thing that it happens – otherwise anyone could login to your account. But it can be a nuisance.

Why we use real phones rather than ‘virtual’/emulated ones

A few people have been saying that they use ‘virtualised’ phones rather than real phones (phone emulators) to do the posting. To be honest, we thought about it at the start. It’s a lot easier to scale, and you can even outsource the scaling side of things to something like Amazon Web Services.

But we do know that those virtualised phones are different to real phones. The easiest way to know is that when we use them to test our Android app, it can be perfectly fine but on a real-world phone it doesn’t work.

We also think it’s kind of shirking the rules. It might be theoretically the same in terms of using the Instagram app, but it isn’t really keeping to the ‘sense’ of the rules. But in the same way that there isn’t anything in the Instagram terms of service that say that you can’t use someone else to post on your behalf (or agencies would be out of business…), there isn’t anything to say that virtual phones are not OK but physical ones are. Perhaps the difference is just academic, but that’s my two cents.

So what is the real difference in risk between the options?

Obviously, nobody can actually say other than Instagram themselves. Anyone who claims to think that they know how Instagram operates or thinks but doesn’t work for them is guessing. So this is my opinion/perspective, but you should come up with your own understanding.

Our belief is that the ‘notification apps’ are certainly the lowest risk, as (assuming there is only one person managing the account) you don’t have to ever share your password. But that also comes with a lot more time and effort, so it won’t suit every (or most) people.

We think that Schedugram is the ‘middle’ option, in that the risk is that you share a password with us, in the same way that you take a risk when you hire a new staff member and give them access to your account there is some degree of risk. Of course, most people wouldn’t bat an eyelid doing that – that’s why you have hired them after all – but the level of risk is similar. And of course we do have mechanisms to protect your passwords as best that we can, and enable you to pick a more complex password that you wouldn’t want to have to share with your staff anyway as it would be a pain to type in, remember or share.

That last point is pretty important – IT security experts are increasingly recommending the use of password managers to store your everyday passwords in (personally I use Lastpass). That involves having a risk that the password manager company doesn’t store your passwords securely, but it is far outweighed by the fact that it becomes far easier to have unique, hard-to-guess passwords for every single service rather than having one password for everything or iterations on one password.

I think it’s clear that the services that use the ‘private API’ are higher risk. I can’t say how high the risk is, because there are some that have been operating for 2+ years, and so you’d think they would shut down or their customers would abandon them if the accounts all got hacked. But regardless of the reality, it is something that is a pretty clear violation of Instagram’s terms no matter which way you look at it.

What is the best Instagram scheduler for you?

Of course, I’m biased and believe that Schedugram is the best service. But it does depend on your budget, number of accounts you manage, size of your team, and posting schedule.

The customers that get the most value from Schedugram are the ones that have multiple accounts and several team members, and try and cover many hours of the day in their posting schedule. They don’t want to have to post manually on weekends or at night – despite Instagram now having an algorithmic feed, the ‘timeliness’ of a post is absolutely still a factor in how many people see it.

For others, they just don’t want to have to bother with posting manually, or continually pull out their phone to do so, and they’re happy to pay for Schedugram to do it.

We often get people telling us that Schedugram revolutionised their work (and sometimes social) life, and we always appreciate the feedback – both good and bad – so that we can celebrate what we do well, and continually improve what we do.

We’re proud to have helped customers of all shapes and sizes improve how they work every day for 3.5 years, and we look forward to the years to come.