'Coon Cave

A blog about software development, Google Play and Android in general. May contain traces of rambling. Feedback and subscriptions welcome!
Wednesday, September 9, 2020

Appstore == Rootkit

(ever thought of it this way?)

Friday, August 21, 2020

The ugly little truth about the Google/Apple Exposure Notification Framework

Using the Corona Warn App? You might have helped preventing a catastrophe. Just not the one you thought you did.

Friday, July 3, 2020

Raccoon 4.15.0

  • BUGFIX: Download without crashing when Google Play does not include a download auth cookie with the app delivery response.
Wednesday, July 1, 2020

Android app development: Be forced to use an excessively complex build system that tries to squeeze every byte out of your compiled code like it’s 1980, then adds a compat library that’s 10 times the size of the actual app.


Just because I need to probe devices with DummyDroid. Currently, I gather the needed information d by pushing a tiny DEX file (~50kb) to the device and talk directly to the various system services via IBinder (that’s what shell tools like pm do, too). But of course, for some strange reason, the AIDL files are not standardized, so this solution is unstable. I really need a Context, a Context can only be build by an ActivityThread and there’s no way to start one directly from ADB - the whole system was designed by lunatics.

Tuesday, June 30, 2020

Aww shit! Following up on yesterdays post, there are actually quite a number of optional URL parameters that can be specified when making a HTTP request to the FDFE API. So far, I found:

  • ipCountryOverride
  • mccmncOverride
  • skipCache
  • showStagingData
  • p13n

Their values are configured globally in the playstore app. When set, they are appended to the URL in the order above on every HTTP GET or POST request to the DFE API. The later three take a true or false as a value. Not sure what they are suppose to do, though.

I should probably add support for adding arbitrary URL parameters in the coon-mothership library.

Monday, June 29, 2020

The (F)DFE API supports an URL parameter called “ipCountryOverride”. It can be enabled in a “secret” developer dialog. I always suspected that this is somehow used by Google engineers when they need to bypass geo blocking, but I could never figure out what to pass as a value. Booleans as well as locales don’t work and obviously, you cannot use an IP address to represent a country. What’s even more curious is that dialog loads data from a CSV file (which, of course, isn’t publicly available)!

You connect to a host called android.clients.google.com, when talking to the Playstore. That’s actually a DNS CNAME and can resolve to a number of different IP addresses. The Playstore is not a single/central server system! Google likely runs a separate instance of it in a local datacenter in every country in the world.

So, maybe the value for the ipCountryOvveride parameter is the IP address of the (country) instance behind the load balancer then?

Sunday, June 28, 2020

OK Google, why is my third grader so bad at reading and writing?

Hello $NAME, children learn from their parents. You have shown your child how to use Google Now. Voice search is a feature that enables you ask a question and get a spoken answer. There’s no more reason to read or write yourself!

(True story, actually - the part about bringing kids up to be lazy)

I’m always stunned when watching a movie/TV show in which a criminal makes a final call, then breaks the phone and throws it away in order to get rid of incriminating evidence. Yeah, sure, burner phones exist to be disposed of, but why break them? Your telco has a record of the phone call and if the police found the wreckage (your telco also knows which radio mast you have been connected to, when making that final call), they could desolder the internal storage from the mainboard - NAND flash chips can be quite resilient. They are also very bad at actually erasing data (when you delete a file, the operating system just marks the storage space as available again. If you truly want to get rid of a file, then you would first have to overwrite it with random garbage. However, writing to NAND flash is slow and wears the chip down - the controller tries to avoid that).

Yeah ok, that’s a problem for criminals, not law abiding citizens. You have nothing to hide - except maybe the credentials for your Google account, online banking…

Something, one should probably keep in mind when selling a used phone: doing a factory reset means all data on the phone is lost — unless the new owner has specialized equipment.

Tuesday, June 16, 2020

Whenever I see MS Office and Open Office fanboys argue which is the better product, I always picture a scene in a hardware store where two guys argue which hammer to buy in order to drive screws into the wall.

When you want to print your writing, use LaTeX, just saying.

Saturday, June 13, 2020

Hrmpf! I started working on bringing app reviews to Raccoon. I’d rather not implement this. The more you dig into the API, the more you realize that this is nothing but a dark pattern to keep users engaged. It helps no one, but harms everyone.

  • You can’t really write a meaningful review of a product on a mobile device. Anything that’s longer than 2-3 sentences takes a lot of effort.
  • In case you feel so strongly about the app that spent the effort, you are probably thwarted by the character limit.
  • Even if you manage to write an actually useful review, no one will read it, as it gets pushed down by newer reviews and eventually drowns in drivel.
  • The only thing that may have a lasting effect is your star rating, but even that is utterly useless as it only contributes to an average based on vastly different rating criteria.
  • App developers are given every incentive to game the system by boosting their rankings with fake reviews.

So yes, you won’t make a difference by reviewing an app and you don’t gain any insight from reading reviews either.