Free access to substitution plans – Deobfuscation adventures
This is a modal window.
The media could not be loaded, either because the server or network failed or because the format is not supported.
Formal Metadata
Title |
| |
Title of Series | ||
Number of Parts | 254 | |
Author | ||
License | CC Attribution 4.0 International: You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor. | |
Identifiers | 10.5446/53233 (DOI) | |
Publisher | ||
Release Date | ||
Language |
Content Metadata
Subject Area | ||
Genre | ||
Abstract |
| |
Keywords |
00:00
Free moduleSubstitute goodGoogolService (economics)Independence (probability theory)Moving averageSoftwareMotion captureRevision controlVirtuelles privates NetzwerkProxy serverPhysical systemComputer networkToken ringUniform resource locatorForm (programming)Directed setSoftware developerElectronic visual displayParsingSubstitute goodFree moduleContent (media)Multiplication signMobile WebPoint (geometry)SoftwarePasswordTouchscreenView (database)InformationPlanningService (economics)Proxy serverPublic key certificateMotion captureConnected spaceException handlingAndroid (robot)Information securityRevision controlInternet service providerMobile appRootUniform resource locatorForm (programming)Physical systemClient (computing)AuthorizationRoundness (object)Computer fileParsingSpacetimeDigitizingLoginWhiteboardUser interfaceWeb browserElectronic mailing listWeb 2.0Different (Kate Ryan album)Translation (relic)Student's t-testObject (grammar)Software developerNumberRankingHypermediaInterface (computing)Right angleMedical imagingData storage deviceGreen's functionCryptographyUsabilityComputer animationJSON
07:11
Transport Layer SecurityWebsiteGoogolWikiData typeFormal languageMultiplication signHash functionoutputComputer programmingPasswordDivisorService (economics)MereologyPhysical lawInformationUltraviolet photoelectron spectroscopyForcing (mathematics)Connected spaceComputer fontSource codeObject (grammar)Message passingString (computer science)4 (number)Social classBitMobile appFile formatResultantExterior algebraGoodness of fitCodeFunctional (mathematics)Disk read-and-write headRevision controlFree moduleGoogolSuite (music)HypermediaMiniDiscCondition numberExtension (kinesiology)Tape driveTrailAxiom of choiceGame controllerSoftwarePoint (geometry)Information privacyCompilation albumEscape characterCodierung <Programmierung>Office suiteState observerNeuroinformatikTerm (mathematics)Moment (mathematics)Graph (mathematics)Computer animation
14:02
Physical systemFormal languageHypermediaMobile appPoint (geometry)Service (economics)Mobile WebDigital signal processorBit rateServer (computing)MathematicsWritingRevision controlCASE <Informatik>LoginRepository (publishing)RoutingPasswordGame controllerComputer fontMultiplication signRoundness (object)Information privacyField (computer science)String (computer science)Computer configurationNumberElectric generatorEmailIntrusion detection systemDirection (geometry)Error messagePhysical systemQuery languagePattern languageEndliche ModelltheorieCausalityCycle (graph theory)Android (robot)Formal languageForm (programming)WordFunctional (mathematics)Installation artPixelFigurate numberNormal (geometry)Connected spaceFormal verificationReal numberValidity (statistics)Physical lawWhiteboardMultilaterationState of matterLevel (video gaming)Video gameQuicksortGoogolAbsolute valueOpen setOperator (mathematics)WebsiteExterior algebraMaxima and minimaComputer animation
20:53
ACIDElectronic program guideGame theoryTelecommunicationWebsiteMobile WebUniform resource locatorAndroid (robot)Client (computing)Computer animationXML
21:21
Power (physics)Server (computing)Point (geometry)Mobile WebMobile appIntegerUniform resource locatorInterpreter (computing)XML
21:53
Mobile WebPoint (geometry)Web 2.0Mobile appWebsiteCodeCASE <Informatik>Uniform resource locatorString (computer science)Configuration spaceScripting languageNP-hardData storage deviceLine (geometry)Computer animation
22:47
GoogolCopyright infringementSoftware developerRadical (chemistry)Logical constantAddress spaceInternet service providerEmailPosition operatorElectronic mailing listHypermediaRandomizationData storage devicePoint (geometry)Multiplication signJava appletSocial classGoodness of fitEmailEvent horizonAddress spaceSoftwareTelecommunicationMobile app1 (number)Software developerLattice (order)Revision controlWordFormal languageRepetitionWebsiteGoogolWeb 2.0View (database)Default (computer science)Right anglePhysical lawFiber bundleMobile WebDisk read-and-write headComputer configurationCASE <Informatik>CountingClient (computing)Field (computer science)Message passingProof theoryProduct (business)DebuggerSound effectTheoryState of matterWeb browserMereologyService (economics)Configuration spaceAssociative propertyAmsterdam Ordnance DatumPattern recognitionRegular graphFree moduleGame theoryArithmetic meanShift operatorPhysical systemFerry CorstenDependent and independent variablesDot productMetropolitan area networkNetwork socketHelixInternetworkingGame controllerControl flowSpeech synthesisLevel (video gaming)Closed setType theoryDiagonalMedical imagingCompilation albumTheory of relativityDrum memoryTheory of everythingFamily
31:05
Computer animation
Transcript: English(auto-generated)
00:22
free substitution for schools Yeah by Done by Finn Godau Thank you for the translators for translating into German. Let's start
00:42
In general as you know teachers can't always teach as planned So students need to be informed when their lessons are moved in time or space or both or? Don't take place as they should or they have a different teacher all that and For that schools create a substitution plan
01:02
There's software for that for example untis and these substitution plans need to be distributed and in Germany a lot of schools use digitalis fastest bits or digital designers board or DSP for that It works like this Oh Yeah, it works like this that the school uploads the plan
01:24
Pupils can read this substitution plan on these DSP screens on their mobile devices Using the client software developed by Henneking Media and using the website Once they have the credentials that they acquired from their school
01:42
It's one pair of username and password for all pupils and one for all teachers Well and This costs money in schools by way too expensive screens from Henneking Media and then the schools pay extra for this
02:00
Fantastic web interface here where you can sign in and View your substitution plans you can also use this mobile app. It's not really good though as I will explain this is What it looks like? Things are tiny as you can see, it's obviously Proprietary software it depends on Google Play services
02:24
You need to zoom around you need to scroll around to see all the information because it's so tiny So this is super suboptimal I don't even know why this is so small if you look it up on a web browser It zooms fine when you have a small device and I really don't know how that
02:46
Screwed up like that. It has useless push notifications like new content available it's not not useful and you have to click at least one time too much all the time and Due to these issues. I always wanted something that is better than DSP mobile
03:02
So I began capturing DSP mobiles network traffic Surprisingly in Android, this is really easy You can use user-friendly software like HTTP carry which is this one or Packet capture which is this one. It's
03:21
Unfortunately proprietary, but I don't know any non proprietary software for this if you know any please tell me It acts like a VPN provider app and proxies all the traffic that is going out Through it installs a certificate in your system so that apps still think that the network connection is secure and
03:45
Then this app will decrypt and store and re-encrypt all the traffic that is going out and in so you can read it then this is essentially like a attacker in the middle attack That you're doing yourself on your own network traffic
04:03
Yeah, except on recent Android versions apparently Android doesn't trust Certificates that you install anymore. So you actually now have to have root access to move them to this location slash system slash etc slash security slash CI certs, so they they are ultimately trusted and
04:23
This is unfortunate because it makes it a little more difficult But in older Android versions it works really easy With more effort this Capturing of network traffic can be circumvented by
04:42
Implementing a kind of certificate pinning so that the app checks beforehand which certificates it trusts and which it doesn't With more effort such a prevention could also be circumvented But DSP mobile didn't have that So I could figure out how this endpoint works as you can see it's called the
05:03
iPhone service on Android Using your user ID and the password you can request an auth token it has the form of this Actually, that's what it looks like when you have invalid credentials
05:22
So if it returns this then you can answer for not thought it never changes so I don't know what the use of this token is However, DSP mobile never stored it even though it's the same all the time
05:41
So It took one extra round trip time every login to fetch this never changing off token Using this off token you can request your Substitution plan URL and then once you have this substitution plan URL you can access your substitution plan
06:01
Okay, so using this knowledge. I developed a client that allows me to Directly have access to just the relevant information, and I call it DSP direct The very first thing it did better than DSP mobile is that it displayed things not as tiny This is a kind of old screenshot as you can see these HTML files here
06:24
can be parsed using a parser and Such that you can filter it you can Have useful notifications that I added later on this is a native list not a web view so it has feels better and
06:43
And Yeah, of course it's not proprietary, but free software Yeah, oh by the way this logo. It's supposed to represent my school's logo this one
07:04
Yeah, please don't tell me I did too bad. Okay, at least it's different from the DSP mobile logo Send point is fun in other regards the first time I encountered it allowed completely unencrypted connections and website did not redirect users to HTTPS, so
07:24
Actually you'd most of the time Input your username and password and transmit it unsecuredly It supported up to TLS version 1.0 Which is obsolete it supported SSL version 2 which enables a drown attack, which I didn't quite understand but
07:45
Apparently those aren't very likely to be exploited here But it could allow attackers to read your traffic and formed the company about this on August 11th And I believe this is when I introduced the not my fault grumble tag in the issue tracker tracker
08:04
They were happy to be informed about this on August 22nd. They enabled TLS version 1.2 disabled SSL version 2 Still allowed insecure connections, and I also noticed that they embedded funds from Google
08:23
And this is obviously bad for privacy, so I told them about that Twice September 19th the iPhone service for a force if the connection is insecure However, Google fonts are still embedded
08:41
Anyhow, it's October 4th that the iPhone service is shut down so I start focusing on the new endpoint that apparently the DSP apps have been using for a while that I didn't notice that So I had to figure out how this data format works looks like
09:07
This So you can see it has a JSON body Using which has a Request which is an object that has data, which is a string
09:23
So much to figure out how to read this it looks like base 64 When unescaping these slashes of course because it's coded in JSON However decoding this JSON string here did not at this base 64 string did not deliver a nice result
09:44
So I had to look for clues by Decompiling the app there are online tools for that Unfortunately the app was minified or which is Opposcated during compile time which made the results not very readable Which means that once you have a decompiled you will have the first function in each class appear as a
10:05
Second one is B or something Fortunately, I don't remember how exactly I did that. So instead we're going to have to look at whether this was legal or not Because that's interesting too Because I think it is let's look at paragraph
10:22
69e You are a G copyright law. We have our heads because that's decompile earring It's just a woman is right in harvest is not a fatherly Wendy When she has stayed for feel fairly goodness codes already was at some decades in a day paragraph And it's a cinema ends once by the mightest decompile earring
10:40
When I lastly is only a fatherly information and so here still on the inter-opera You be detailed and it's gonna pay a cash on computer programs with under a program so health and so fun Folgen the best among and efficient. So it says you may decompile without permission when it is strictly necessarily While trying to create interoperability between two programs created independently from each other
11:03
Under these conditions and here are three conditions The handle and we're done fundamentally sense Nima Oda ina under and so for bending and so feel felt on stooges this programs And It says you must have permission to use the program
11:22
Hey, I think I'm allowed to use the program. I'm assuming I am my school paid for it second D for the hash it under interoperability Ted no folding informations and for the in the minds can add a person No, not on a white to the suit English command So the information you want to know is not already provided
11:41
Yeah, actually I need a media didn't document this obviously so yeah, that's for fault Third do you have to learn and we're shrinking the of the title disc which publishing programs did so He has to know the inter-opera Ted your friend accent. So you're only decompiling the part that contains the information you want to know
12:00
Yeah, I don't think this Android app is divided into parts so let's just let's just get that The Law text goes on stating three things. You may not do with the information you gain from decompiling By hand, let me knock ups at ends give on information and do a finished So under and spec as the hash alone the interoperability Ted is gonna think it's happening because when it had him
12:25
So don't use it for other purposes than creating interoperability interoperability with the independently created program Yeah, of course, I never use my knowledge for any other reasons Never and the divider you give me then is side in the city's for the interoperability
12:45
It's gonna take a shuffle and pull comes not vindicate So don't tell third parties about the information unless necessary for interoperability. Ah Yes my free software implementation
13:00
Couldn't be interoperable if the information was in public unless it was non free software, which is not obviously The invoke long here still long would have a marked on Ines programs mid in recently And Ligia all strokes form order for under and as we hear about it for less than hand long and for vendor to happen So don't violate the rest of the copyright law
13:22
Of course, we're not surely creating an alternative to something on its own doesn't violate copyright law, right? So yay after doing it I discovered that I did so legally So I found a usage of some class related to G zip So I tried around a bit and figured you could use this command to decrypt this
13:45
string and Guess what it is More Jason what an efficient data format. You're hiding our encoded Jason inside more Jason Let's look at the data we are sending of course, we have a user ID and a pass
14:05
Besides that we have a lot of data apparently for statistics. You have the apps version you have the package ID the device model The Android version and API level the user's language and the current date. I
14:22
Don't know why you have the date. I think they know the date that the query arrives at but anyway you have a Sorry, some of this is redundant from the request header or user agent that is already sent I don't know why they do that twice
14:44
You have app ID which is a unique per installation ID, which I at first didn't know how to generate and you have push ID which is I'm assuming an ID generated by Google mobile services Known as Google Play Services to enable push notifications
15:00
So it becomes obvious that they're able to link requests together and possibly create usage patterns What are they doing this with this data? There's no privacy policy anywhere Which of these fields are required All of them but push ID but most strings can be left empty. So DSP directs and the minimal amount of
15:24
Requested data, which is everything but with empty strings and Yeah, actually guess what the server allows insecure connections again, so something happened
15:46
on some date The server side verification of this query was changed and the field app version suddenly became mandatory I Ran some experiments and found examples of valid and invalid version names
16:01
These are example of valid version names. These are examples of invalid version names Finally up versions that aren't real versions of Heineken medias apps are accepted anyhow like version 7.0 point oil you're only at version two point
16:21
five point I Don't remember six I don't think So DSP rate started sending along some app version Its own actually which was two point five and the same as an older DSP mobile release and Because I thought maybe they'd have more service side changes in the future. I
16:44
Implemented a new system. It was to prevent server side changes From requiring an update because that would mean I have to write change logs because after it releases are slow Because the one who was uploading it to go to play for me also always took a while and
17:02
Because of that there was now a look for a fix button that crease the news file, which is located at the repository's route Which allows me to inform users when they can expect to fix it allows me to change this base JSON that credentials are appended to which is
17:21
This without the user ID and user password so they're added to this JSON later and In case they check that I added an option to send the real date I thought maybe that's what they would do next they never did that unfortunately
17:42
This was the same release as the one with the version number fix this one We have good news elsewhere though, it was the same day October 15th That I received an email that up dot DSP control dot D E or was no longer accessible on port 80 and that Google fonts were now being loaded locally
18:05
This email contained. No usual. I look for Argan's organic direct on me Fenton. Unfortunately, maybe they didn't want to hear from me anymore. I Couldn't verify this at first October 16th, I could verify this so a friend noted that they have so deploy times apparently
18:26
Round three, it's October 17th, and we're getting an invalid answer from the server again Now the app ID has to be sent to a you you ID and last ID has to be set to
18:42
something It can't be empty So we're now sending so pushed excite. I Wasn't aware of how to generate app IDs yet. So I just took the one that I had captured from my device Contributed a pixie loan and me learned this through trial and error
19:02
I've had was very bothersome because the server sometimes accepted and sometimes rejected the very same query So this slow update cycle we'd noticed earlier turned out to be really bothersome and frustrating Because you'd you try something and then it would work and then you'd remove it again and it wouldn't work anymore
19:20
And then you thought this was the cause for it actually was just the slow release deploy cycle Likely or maybe they had just banned this app ID at this point in time, but I didn't realize I'm not sure Rather, I believe the server was generally struggling and rejecting logins because my DSP mobile installation with this app ID
19:44
Was also sometimes rejected On form They seem to have reverted some of these changes later, which reaffirmed. I believe that all DSP mobile installations were affected Contribute a pixel and figure that device was now mandatory
20:01
Which meant not empty so we sent device a I remembered to have at some point in time sent the words cut off it or Toaster as a device eventually Now I thought we were smart. I added new functionality to this new system. I explained earlier
20:21
Firstly as a precaution I could remotely activate sending the last date In case that I mean remotely means that it happens when users click on look for a fix Secondly I could now set an array of headers to send to the server and thirdly we had discovered some alternative endpoints
20:41
To understand this you first have to know that they have sold skinned versions of DSP So this is the normal DSP mobile. I showed it earlier already. This is the ihaka skinned DSP mobile it's accessible via two URLs That delivers the same data as this website
21:02
It also has a corresponding skinned Android app, so I configured So I could configure the endpoint the client would send the data to because each of these had a different endpoint and
21:21
This app used one of these two However, this was tricky because I had to prevent Myself from giving myself the power to redirect users queries to my own server So I hard-coded for URL and points and point URLs
21:43
mobile web ihaka mobile and app ihaka bb into the app so I could switch between them using an integer and I set it to the ihaka mobile endpoint. I believe it was the very next day that Ihaka mobile and ihaka bb endpoints were broken actually they returned invalid data in a way that crashed my app
22:07
Whoops And suddenly the web endpoint from the normal website Was constantly moving to new locations and there was a configuration dot JS script that contained where it was
22:23
So I hard coded into the app As a precaution in case I'd need it later a very specific way to to find this location And it was like behind the seventh quotation mark or something clearly unreliable and suddenly the string was moved a line Downwards, so it was now the ninth quotation mark
22:44
interesting Also this app stop working it's still on the play store now, and it's still not working This website is still available, and it's not working because they broke their endpoint This was around the time that this Google Play takedown notice reached us because apparently these redirect
23:06
Infringes the trademark of DSP I Don't feel qualified to comment on this as I don't understand trademark law I tried to ask for a specific clarification as to why they removed my app three times But they never responded
23:22
By the way, that's a nice trick you can do with emails you don't like you can just pretend you never receive them so A few days later the website JavaScript including configuration to jazz was obfuscated in such a way that I don't understand how it works, but
23:41
It constantly evokes the debugger if the developer tools are open you can In theory easily circumvent this by telling your browser to ignore it break points This doesn't seem to work with Firefox, but it works in chromium. I don't know why I'm just going to assume. We could have figured this out somehow Be that we could have had a web view running in the background if we absolutely had to but
24:05
Fortunately contributor big salon had come up with what is needed to talk to the mobile endpoint now Because it's more data through Decompilation he learned that was being generated using the default Java uuid class you ID dot
24:21
Random you ID dot to string also device ID was mandatory So I added spoofed data, I took a random device ID from this list I took a random OS version from anything between four or two and ten point. Oh, I took random language mostly German sometimes English and
24:43
as a bundle ID I took the package ID of DSP mobile With an option to disable this via news in case if we're getting the way somehow and That was the end of that apparently they stopped trying to prevent DSP mobile from working Apparently after it releases don't count to them, and it isn't worth their time, and maybe they're just uncreative
25:07
I could still think of a few ways to tell DSP to write and DSP mobile apart But I'm clearly not going to tell them However just this month Asked again, why DSP mobile was removed from the Play Store also because he believed we didn't violate German trademark law
25:26
contributor Jasmine who Is sitting here by the way? Had uploaded DSP direct to the Play Store again, and he received a rather interesting response So get her heads back at the epixil on field and for your email later
25:51
We don't have your address and thus can't send you legally meaningful messages
26:03
We don't know about your legal relationship This is a bit strange because I don't know either according to my father We might be a gazelle tov boogalish in rights, but it's not exactly proof of familiarity with free software
26:21
Then I'm actually informed on the opposite. You're not miles Clara's token I said to be there in under them couldn't get started on the internal DSP mobile appy for agnes of their product up to Frank We want as a gas in him at swiftly on let's Malik. You may not use our internal API Find it questionable whether a publicly facing API is to be considered internal
26:43
One might argue that it is only for communication between software they control But I believe I control my device and my client installation of them making the API not internal And in fact, we're doing an admit like him would have ended him mom to DSP
27:01
It's in an in my passion home even falls on to start here leaked mark and shorts to hide a king media for I Don't understand trademark law There are so many trademarks starting with this or just consisting of the letters DSP that with partially overlapping registered use cases and their trademark doesn't have distinctive character with the items often I just don't understand it. By the way, there are other trademark digitales. What's a spread which is?
27:26
registered as a Different one from DSP was once rejected as a national trademark just because it didn't have distinctive character Why can there be European trademark laws without a European trademarks without distinctive character? I do not understand and I'm not qualified to comment and
27:44
At bright alone in store is that I never have to hit a decade Can see kind of a him which have licked his effect. He's a state for fixin skafala We want to say in him it will not some decades in market DSP. Let's Malik
28:00
First part is true. I had gotten out wrong It counts as carefully have a care when you provide a service even for free to the public There's danger of confusion This has to be about the letters DSP right because as I explained earlier our logo is completely unrelated However, I'm not too certain that there really is danger of confusion that high-necking media is directly affected by or exclusively affected
28:25
By after all one could also believe that it is an app that provide access to something related to the Danish Railway Company Of course, it is not but it's about recognition value, which is not something that DSP has exclusively for sure We're to say in him at deep enough Sunday should somewhat market DSP. Let's Malik. Oh
28:46
Yeah, I already read about so that if I thinking on so totally off our own first awesome We had made in Fallon on the regular treat on hand. Dr. Seelig you are given these are in these are email, but I'll see scaring us Even false when we avoid him getting heated for a little an associate nap for game
29:02
And spray him dirty entity in the costume when we're in a chance as that's good We've been on swing the bathroom Which one doesn't gruesome and rears knock? No, no, no That's the CEO of Hanukkah media. We're famous We redirected this email to contribute to Jasmine who had DSP direct up on the play store at this point of time
29:24
And he decided to take it down and apologize suddenly and this was the very next day. He received an email That's how on it a lot friendlier Hello, yeah, and I'm for you and King come within you and that's pretty good I don't think that we once give and that's the ones for first
29:40
Let's see what song once I got up here my luck. Let's get bitten hidden We had asked for permission. I'm quite sure we would not have received it Then I'll meet in the year English Morgan wording or for the data again, so it's not a nova inland Like kunzi once met you didn't have any best rep to bone
30:04
Like when we as a guy in big does it are in mid-bound. Yeah, let me tell enter We've been on spines. You can learn to do It's why am I feel good molding it for a little Christmas knock. I Rather, I'll rather leave this largely uncommented. I don't know exactly what they run from us, but I guess we'll have to see and
30:26
That's the dramatic cliffhanger that we have to end our talk with Events are yet to unroll There's one thing that I can learn from this don't use other people's trademarks because trademark law is too complicated Apologizing instead of being rebelling seems to work better
30:43
Even if the thought of conflict and treatise you and you really do believe you're in the right you probably just misunderstood the law alternatively Exclusively do such things anonymously decide beforehand what you want to put your name on. Thank you