 free substitution for schools Yeah By it was done by Fin Godow. Thank you for the translators for translating into German. Let's start In general, as you know, teachers can't always teach as planned So students need to be informed when their lessons are moved in time or space or both or don't take place They showed or they have a different teacher all that and for that schools create a substitution plan There's software for that for example on TIS and these substitution plans need to be distributed and in Germany a lot of schools use digital as far as a spread or digital signage board or DSB for that It works like this Well, yeah, it works like this that the school uploads the plan pupils can read this substitution plan on these DSB screens on their mobile devices using the client software developed by Henneking Media and using the website Once they have the credentials that they acquired from their school It's one pair of username and password for all pupils and one for all teachers well and This costs money schools buy way too expensive screens from Henneking Media and then the schools pay extra for this Fantastic web interface here where you can sign in and View your substitution plans. You can also use this mobile app. It's not really good though as I will explain this is What it looks like? Things are tiny as you can see. It's obviously proprietary software. It depends on Google play services You need to zoom around. You need to scroll around to see all the information because it's so tiny So this is super suboptimal I don't even know why this is so small if you look it up on a web browser It zooms fine when you have a small device and I really don't know how that is screwed up like that It has useless push notifications like new content available it's not not useful and you have to click at least one time too much all the time and Due to these issues. I always wanted something that is better than DSP mobile So I begun capturing DSP mobiles network traffic Surprisingly in Android this is really easy You can use user-friendly software like HTTP canary which is this one or packet capture which is this one. It's Unfortunately proprietary, but I don't know any non proprietary software for this. If you know any, please tell me It acts like a VPN provider app and proxies all the traffic that is going out Through it installs a certificate in your system. So that apps still think that the network connection is secure and Then this app will decrypt and store and re-encrypt all the traffic that is going out and in so you can read it then This is essentially like a attacker in the middle attack That you're doing yourself on your own network traffic Yeah, except on recent Android versions apparently Android doesn't trust Certificates that you install anymore. So you actually now have to have root access to move them to This location slash system slash etc slash security slash CA certs So they they are ultimately trusted and this is unfortunate because it makes it a little more difficult But in all our Android versions, it works really easy With more effort this capturing of network traffic can be circumvented by Implementing a kind of certificate pinning so that the app tax beforehand which certificates it trusts and which it doesn't With more effort such a prevention could also be circumvented But DSP mobile didn't have that So I could figure out how this end point works as you can see it's called the iPhone service on Android Using your user ID and the password you can request an off token it has the form of this Actually, that's what it looks like when you have invalid credentials So if it returns this then you could answer for not thought it never changes. So I don't know what the use of this token is However DSP mobile never stored it even though it's the same all the time So it took one extra round trip time every login to fetch this never-changing off token using this off token you can request your substitution plan URL and Then once you have this substitution plan URL you can access your substitution plan Okay, so using this knowledge I developed a client that allows me to Directly have access to just the relevant information and I call it DSP direct The very first thing it did better than DSP mobile is that it displayed things not as tiny This is a kind of old screenshot as you can see these HTML files here can be parsed using a parser and such that you can filter it you can Have useful notifications that I added later on this is a native list not a web view so it has feels better and Yeah, of course, it's not proprietary but free software Yeah, oh by the way this logo. It's supposed to represent my school's logo this one Yeah, please don't tell me I did too bad. Okay, at least it's different from the DSP mobile logo It's endpoint is fun in other regards the first time I encountered it It allowed completely unencrypted connections and the website did not redirect users to HTTPS So actually you'd most of the time Input your username and password and transmit it unsecurely It's supported up to TLS version 1.0 Which is obsolete it supports it SSL version 2 which enables a drown attack which I didn't quite understand but Apparently those aren't very likely to be exploited here But it could allow attackers to read your traffic and formed the company about this on August 11th And I believe this is when I introduced the not my fault grumble tag in the issue tracker tracker They were happy to be informed about this on August 22nd. They enabled TLS version 1.2 Disabled SSL version 2 Still allowed insecure connections and I also noticed that they Embedded funds from Google and this is obviously bad for privacy. So I told them about that twice September 19th the iPhone service for a force if the connection is insecure over Google funds are still embedded Anyhow, it's October 4th that the iPhone service is shut down so I start focusing on the new endpoint that apparently the DSB apps have been using for a while that I didn't notice that So I had to figure out how this data format works looks like this So you can see it has a Jason body using which has a request Which is an object that has data which is a string So I wanted to figure out how to read this. It looks like base 64 When unescaping these slashes of course because it's coded in Jason However decoding this Jason string here did not at this base 64 string did not deliver a nice result So I had to look for clues by Decompiling the app. There are online tools for that Unfortunately, the app was minified or which is Obfuscated during compile time which made the results not very readable Which means that once you have it decompiled you will have first function in these class appears a And second one as B or something. Fortunately, I don't remember how exactly I did that So instead we're going to have to look at whether this was legal or not Because that's interesting too Because I think it is let's look at paragraph 69 e You are hg copyright law where he was already set the compilation The mood of the right in Habas is not necessary when the And here is the refurbishment of the code or the translation of the code from the sense of the paragraph 960 10 number 1 and 2 meant is decompiling Unabashedly it is about the necessary information for the creation of the interoperability Edited an independent creation computer program is with other programs to hold in so far Folgende Bestimmungen affiliate and so it says you may decompile without permission when it is strictly necessary While trying to create interoperability between two programs created independently from each other Under these conditions and here are three conditions The actions will be taken by the licenseeer or one of the other for the use of a Fulfillment piece of the person entitled to the program or in their name from a person entitled to health It says you must have permission to use the program Hey, I think I'm allowed to use the program. I'm assuming. I am I go paid for it second The for the production of interoperability Not only information for the number one person, but also not without additional access So the information you want to know is not already provided Yeah, actually, I make immediate didn't document this obviously. So, yeah, that's for fault Third the actions limit themselves to the parts of the original programs that are necessary for the creation of interoperability Not when they can't so you're only decompiling the part that contains the information you want to know Ah Yeah, I don't think this Android app is divided into parts. So let's just let's just get that The law text goes on stating three things you may not do with the information you gain from decompiling by handling a nach Absatz 1 gewonnen information in dürfen nicht zu anderen Zwecken als zu herstellung der interoperalität das unabhängig geschaffenen programs verwendet werden So don't use it for other purposes than creating interoperability interoperability with the independently created program Yeah, of course, I never use my knowledge for any other reasons never And it's a bit of a given as I then does these for the interoperability that is unabhängig geschaffenen programs notwendig is So don't tell third parties about the information unless necessary for interoperability Ah, yes My free software implementation Couldn't be interoperable if the information wasn't public unless it was non-free software, which is not obviously für die Entwicklung herstellung oder Vermarktung eines programs mit im wesentlich Einlicher Ausdrucksform oder für irgendwelche anderen das urheberrecht verletzten handlungen verwendet werden So don't violate the rest of the copyright law Of course, we're not surely creating an alternative to something on its own doesn't violate copyright law, right? So yeah after doing it I discovered that I did so legally So I found a usage of some class related to this G-Zip So I tried around a bit and figured you could use this command to decrypt this string and Guess what it is It's more Jason what an efficient data format we're hiding our encoded Jason inside more Jason Let's look at the data. We are sending of course. We have a user ID and a pass Besides that we have a lot of data apparently for statistics. You have the apps version you have the package ID the device model The Android version and API level the user's language and the current date I don't know why you have the date I think they know the date that the query arrives at but yeah, you have that anyway You have a No, sorry, some of this is redundant from the request header or user agent that is already sent I don't know why they do that twice You have up ID which is a unique per installation ID Which I at first didn't know how to generate and you have push ID, which is I'm assuming an ID generated by Google mobile services. I don't know as Google play services to enable push notifications So it becomes obvious that they're able to link requests together and possibly create usage patterns What are they doing this is this data? No clue. There's no privacy policy anywhere Which of these fields are required All of them but push ID, but most strings can be left empty so DSP direct sent the minimal amount of requested data, which is everything but with empty strings and Yeah, actually guess what this server allows insecure connections again, so something happened on some date The server side verification of this query was changed and the field app version suddenly became mandatory. I Ran some experiments and found examples of valid and invalid version names These are example of valid version names. These are examples of invalid version names Finally up versions that aren't real versions of Heineken Media's apps are accepted anyhow like version 7.0.0. We're only at version 2.5 point. I Don't remember six. I think So DSP rate started sending along some up version It's own actually which was 2.5 and the same as an older DSP mobile release And Because I thought maybe they tough more server side changes in the future I implemented a new system. It was to prevent server side changes From requiring an update because that would mean I have to write change logs because after it releases are slow Because the one who was uploading it to Google Play for me also always took a while and because of that there was now a Look for a fix button that creates the news file which is located at the repositories route Which allows me to inform users when they can expect to fix It allows me to change this base JSON that credentials are appended to which is This without the user ID and user password. So they're added to this JSON later and In case they check that I added an option to send the real date. I thought maybe that's what they would do next They they never did that Unfortunately This was the same release as the one with the version number fix this one We have good news elsewhere though. It was same day October 15th That I received an email that App.DSP control.de was no longer accessible on port 80 and that Google funds were now being loaded locally This email contained no usual by rückfragen können sich gerne direkt an mich wenden Unfortunately, maybe they didn't want to hear from me anymore. I Couldn't verify this at first October 16th. I could verify this so a friend noted that they have slow deploy times apparently Round three, it's October 17th, and we're getting an invalid answer from the server again and Now the app ID has to be set to a EU ID and last ID has to be set to Something It can't be empty So we're now sending so first excited. I Wasn't aware of how to generate app IDs yet. So I just took the one that I had captured from my device Contribute a pixie lawn and me learned this through trial and error However, it was very bothersome because the server sometimes accepted and sometimes rejected the very same query So this slow update cycle we'd noticed earlier turned out to be really bothersome and frustrating Because you'd you try something and then it would work and then you'd remove it again And they wouldn't work anymore and then you thought this was the cause for it I actually was just a slow release deploy cycle Um Likely or maybe they had just banned this app ID at this point in time, but I didn't realize I'm not sure Rather, I believe the server was generally struggling and rejecting logins because my DSP mobile installation with this app ID Was also sometimes rejected I For they seem to have reverted some of these changes later, which we affirm I believe that all DSP mobile installations were affected Contribute a pixie lawn figure that device was now mandatory Which meant not empty? So we send device a I remembered to have at some point in time sent words cut off or toaster as a device eventually Now I thought we were smart. I added new functionality to this new system I explained earlier firstly as a precaution. I could remotely activate sending the last date In case that I mean remotely means that it happens when users click on look for a fix Secondly, I could now set an array of headers to send to the server and thirdly. We had discovered some alternative endpoints To understand this you first have to know that they have sold skin versions of DSP So this is the normal DSP mobile. I showed it earlier already. This is the IHACA skinned DSP mobile accessible via two URLs That delivers the same data as this website It also has a corresponding skinned Android app so I configured So I could configure the endpoint the client would send the data to because each of these had a different endpoint and This app used one of these two However, this was tricky because I had to prevent Myself from giving myself the power to redirect users queries to my own server So I hard-coded for URL and points and point URLs mobile web IHACA mobile and IHACA bb into the app so I could switch between them using an integer and I set it to the IHACA mobile endpoint. I Believe it was the very next day that IHACA mobile and IHACA bb endpoints were broken. Actually, they returned invalid data in a way that crashed my app whoops And suddenly the web endpoint from the normal website Was constantly moving to new locations and there was a configuration.js script that contained where it was So I hard-coded into the app As a precaution in case I'd need it later a very specific way to to find this location And it was like behind this seventh quotation mark or something clearly unreliable and suddenly the string was moved a line Downward so it was now the ninth quotation mark interesting Also this app store stopped working. It's still on the play store now And it's still not working this website is still available and it's not working because they broke their endpoint This was around the time that this Google play takedown notice reached us because apparently dvDirect infringes the trademark of DSP. I Don't feel qualified to comment on this as I don't understand trademark law I tried to ask for a specific clarification as to why they removed my app three times But they never responded up by the way, that's a nice trick you can do with emails You don't like you can just pretend you never receive them So a few days later the website JavaScript including configuration.js was obfuscated in such a way that I don't understand how it works but it constantly evokes the debugger if the developer tools are open you can In theory easily circumvent this by telling a browser to ignore break points This doesn't seem to work with Firefox, but it works in chromium. I don't know why I'm just going to assume we could have figured this out somehow Be that we could have had a web view running in the background if we absolutely had to but Fortunately contributor big salon had come up with what is needed to talk to the mobile endpoint now Because it's more data through Decompilation he learned that was being generated using the default Java UID class UID dot Random UID dot two string also device ID was mandatory So I had this boost data. I took a random device ID from this list I took a random OS version from anything between 402 and 10.0. I Took random language mostly German sometimes English and as a bundle ID. I took the package ID of DSP mobile With an option to disable this via news in case it would get in the way somehow and That was the end of that apparently they stopped trying to prevent DSP mobile from working Apparently after it releases don't count to them and it isn't worth that time or maybe they're just Uncreative I could still think of a few ways to tell DSP right and DSP mobile apart, but I'm clearly not going to tell them However just this month big salon asked again why DSP mobile was removed from the play store Also, because he believed we didn't violate German trademark law contributor, Yasmech who is sitting here by the way Had uploaded DSP direct to the play store again and he received a rather interesting response They get her Herzberger die big salon vielen Dank für ihre e-mail leider sehen wir uns außerstand mit ihnen einen qualifizierten Discourse zu diesem das zu diesem Thema zu führen uns in weder daten zu ihnen noch zum Herrn godau bekannt It means unfortunately. We don't have your address and those can send you legally meaningful messages Heist sie wollen einwurf einschreiben machen ebenfalls ist uns nicht klein welche rechtsbeziehung sie zueinander stehen We don't know about your legal relationship. This is a bit strange because I don't know either according to my father We might be a gesellschaft bürgelichen rechts, but it's not exactly proof of familiarity with free software Dennoch möchte ich im folgenden unsere positionen nochmals klar ausdrücken es ist wieder ihnen noch anderen dritten gestattet unsere Interne DSP mobile api für eigene software Produkte abzufragen wir untersagen es ihnen hier mit schriftlich und letztmalig You may not use our internal API Find it questionable whether a publicly facing API is to be considered internal One might argue that it is only for communication between software they control But I believe I control my device and my client installation not them making the API not internal Eine in verbringung einer ab mit gleichem oder ähnlichem nahm zu DSP ist ihnen im europäischen raum ebenfalls untersagt hier liegt markenschutz durch heineken media vor I don't understand trademark law. There are so many trademarks starring with this or just consisting of the terrorist DSP With partially overlapping registered use cases and their trademark doesn't have distinctive character with unterscheidungskraften I just don't understand it by the way there are other trademark digital schwarze spread which is Registered as a different one from DSP was once rejected as a national trademark just because it didn't have distinctive character Why can there be European trademark laws without European trademarks without distinctive character? I do not understand and I'm not qualified to comment Eine Abbreitstellung im store ist dabei eine geschäftliche Tätigkeit ganz egal welchen wirtschaftlichem Zweck diese folgt es besteht verwechslungsgefahr Wir untersagen ihn hier mit die benutzung der geschützten marken DSP. Let's Malik First part is true. I got not wrong. It counts as geschäftlicher verkehr when you provide a service even for free to the public There's danger of confusion This has to be about the letters DSP right because as I explained earlier our logo is completely unrelated However, I'm not too certain that there really is danger of confusion that Heineken media is directly affected by or exclusively affected by after all One could also believe that it is an app that provide access to something related to the Danish railway company Of course, it is not but it's about recognition value, which is not something that DSP has exclusively for sure Wir untersagen ihn hiermit die benutzung der geschützten marken DSP. Let's Malik. Oh Yeah, I already read it out sollten sie weiterhin gegen unsere deutlichen aufforderung verstoßen werden wir den fall an unsere rechtliche vertretung Herrn Dr. Selig übergeben dieser ist in dieser email bereits cc scaring us ebenfalls werden wir weiterhin gegen jede veröffentlichung einer solchen app vorgehen Entsprechend dadurch entstehen kosten würden wir bei ihnen als schadensersatz geltend machen Wir bitten um zwingende beachtung freundlichen grüßen Andreas norg No, no, no, that's the CEO of Heineken media. Yeah, we're frameless We redirected this email to contributor jasmich who had DSP direct up on the play store at this point of time And he decided to take it down and apologize suddenly and this was the very next day He received an email that's how on it a lot friend here Hallo, vielen Dank für ihr entgegenkommen wir finden ihren ansatz prinzipiell sehr gut Allerdings hätten wir uns gewünscht dass sie uns vor veröffentlichung und umlutzung unserer api um erlaubnis gebeten hätten We had asked for permission. I'm quite sure we would not have received it Dennoch möchten wir ihr engagement gerne würdigen und würden sie daher gerne zu uns nach Hannover einladen Vielleicht können sie uns mit ihren ideen helfen eine bessere app zu bauen Vielleicht finden wir ja sogar einen weg dass sie daran mitbauen gerne fördern wir junge talente Wir würden uns freuen sie kennenlernen zu dürfen ich freue mich auf ihre rückmeldung mit freundlichen grüßen noch I rather Rather leave this largely uncommented. I don't know exactly what they want from us, but I guess we'll have to see and That's the dramatic cliffhanger that we have to end our talk with Events are yet to unroll There's one thing that I can learn from this don't use other people's trademarks because trademark laws too complicated Apologizing instead of being rebelling seems to work better Even if the thought of conflict intrigues you and you really do believe you're in the right you probably just misunderstood the law Alternatively exclusively do such things anonymously decide beforehand what you want to put your name on. Thank you