Today’s realisation: You can get instant Ramen noodles to be somewhat filling by throwing an extra half a handful of frozen peas into the boiling water.
One ID to rule them all, One ID to find them, One ID to bring them all and in the darkness bind them.
A test account just produced a HTTP 404 - Unauthorized while requesting an apk download from Google Play. Turns out, its session cookie had expired. The session in question was created May 30 01:15 (I need to stop pulling these all- nighters) and lasted till today(ish - pretty sure, it was in use yesterday). So, the session TTL for Google accounts seems to be around 150 days.
Not sure if there’s a renewal mechanism, other than running through the login process again (highly doubt it, though). Android users typically won’t notice when their session expires. The system’s account manager just automatically logs in again.
Because cold pizza and hot coffee only gets you so far…
Please sign in to confirm your age - No thanks.
Aww shit! Following up on yesterdays post, there are actually quite a number of optional URL parameters that can be specified when making a HTTP request to the FDFE API. So far, I found:
Their values are configured globally in the playstore app. When set, they are appended to the URL in the order above on every HTTP GET or POST request to the DFE API. The later three take a true
or false
as a value. Not sure what they are suppose to do, though.
I should probably add support for adding arbitrary URL parameters in the coon-mothership library.
The (F)DFE API supports an URL parameter called “ipCountryOverride”. It can be enabled in a “secret” developer dialog. I always suspected that this is somehow used by Google engineers when they need to bypass geo blocking, but I could never figure out what to pass as a value. Booleans as well as locales don’t work and obviously, you cannot use an IP address to represent a country. What’s even more curious is that dialog loads data from a CSV file (which, of course, isn’t publicly available)!
You connect to a host called android.clients.google.com
, when talking to the Playstore. That’s actually a DNS CNAME and can resolve to a number of different IP addresses. The Playstore is not a single/central server system! Google likely runs a separate instance of it in a local datacenter in every country in the world.
So, maybe the value for the ipCountryOvveride parameter is the IP address of the (country) instance behind the load balancer then?
Huh, just discovered a couple of things about the GSF ID.
Ross Anderson explaining why contact tracing apps are bullshit.
Actually, I wonder why we are still discussing this. Contact tracing/tracking is something you do before it becomes an epidemic. We are way past that point.