Why is this an “app”?
This summer, the kids’ performing arts school are singing and dancing in a show at Disneyland. We’re all very excited, but my excitement, at least, was muted a little when I was told to install the “Travelbound” app in order to get access to the itinerary, travel arrangements, and accommodation details.
Fuck that noise. This should have been a webpage. Why do you want me to install a(nother) shitty app just to tell me something that could have been a (smaller, faster, more universally-accessible) document?
There only seem to be two things that this “app” does, that a webpage might not have, and they’re both anti-features:
- It reports tracking data associated with your Google Account back to the developers.
- It shows you advertisements (which they call “inspirations”) for other trips organised by the same agency.
Fuck. Everything. About. That.
A webpage would have been so much better. Unlike this app, a webpage can be…1
- Copy-pastable
- Printable
- Saveable
- Bookmarkable
- Searchable
- Usable on virtually any device
- (Potentially) more-accessible
I’m annoyed enough… that I’m going to “fix” this app. Hold my beer.
Intercepting app traffic
It’s been a while since the last time I reverse-engineered an Android app from its network traffic, so I had to brush-up on the best way. Here’s what I ended up doing.
- Created a new virtual device in Android Studio’s Virtual Device Manager.
- Tested
adb shellwas working and used rootAVD to root it:./rootAVD.sh system-images/android-33/google_apis_playstore/x86_64/ramdisk.img.2 - Performed a cold boot, ran Magisk, and tweaked its settings to automatically grant
suaccess to any app that asked.3
- Ran HTTP Toolkit and told it to intercept AVD traffic. It installed a (fake) VPN provider, routing the phone’s traffic through the proxy.4
- Installed the Travelbound app from the Play Store.
- Configured HTTP Toolkit to proxy only the Travelbound app (more signal, less noise).
With only a couple of minutes experimentation I discovered that the app works by concatenating the username and password5 and using it in a URL of the form:
https://travelbound.api.vamoos.com/api/itineraries/{username}-{password}
This returns a pile of JSON which, with a little interpretation, can be seen to represent all of the content the app “shows”. E.g., there’s:
- an array containing each leg of the itinerary,
- an array containing all of the
“inspirations”advertisements to show you, - a cross-referenced array containing all of the files (images etc.) that are referenced by the other sections, etc.
A little experimentation showed me that the S3 image URLs were being delivered with moderately-short expiration times, so the JSON needs re-fetching periodically even if the content hasn’t been changed.6
Turning it into something better
Now I had everything I needed to make something… better. I wrote a Ruby script that runs on a Cron schedule to pull the latest JSON and use it to build a HTML page.
I chose to have it completely skip over the “inspirations” (“overlayRows” in the data schema) and just list:
- the items from the itinerary and
- all of the files not referenced by the inspirations nor itinerary, (a lazy way to collate the PDF download links).
Then I hosted the page, protected by a password: the same one my tour group were given in the first place. I included the raw JSON it used in <details> elements so it
can be checked if e.g. there are bits of the schema I didn’t see but that might appear later.
Some people like an “app”, and that’s… fine, I guess. But some apps could have been a webpage. And especially where, like this one, the content they deliver is already written in HTML and delivered over HTTP… they should be a webpage, right?
I can’t understand how we got to this place with “app culture”! Software companies are happy to make their lives harder (and more expensive: deploying to the big app stores isn’t free!), in order to deliver HTML content to fewer people and with fewer features7 than if they just published directly to the Web in the first place!
There are (some) tasks for which an “app” is absolutely the right choice of medium. Travelbound is not one of them.
But at least I (and the rest of our group, whom I’ve shared it with) now get the choice about how we access this content. Either a 43MB app (ballooning to 124MB when it’s finished downloading extra content) with tracking and advertisements… or a 0.05MB web page (with an optional extra 35MB of images) that provides more features and works on more devices. I know which one I’ll be using!
Footnotes
1 And these are just the features that everybody can get behind. The webpage I ultimately ended up making to replace the app also has some user-friendly/developer-hostile features, like the fact that it removes the tracking code and doesn’t show advertisements.
2 You need to root the device in order to force applications that use Certificate Pinning to trust your man-in-the-middle proxy server. Without this, some applications – including the one I wanted to reverse-engineer – will recognise your self-signed TLS certificate as invalid and refuse to communicate.
3 Without changing this setting in Magisk, I found that HTTP Toolkit would
request su access but not wait for the response, and go on to run in unprivileged mode before I had a chance to grant it!
4 Owing to Android security considerations I needed to manually install the root CA certificate it installed for me, but the instructions “just worked”.
5 The username and password is shared by an entire tour group. I’m guessing they don’t have a plan for if some credentials get leaked? Or possibly they consider all of the data they hold to be low-sensitivity enough that it doesn’t matter if it does… in which case I return to my original point: why the hell wasn’t it just a webpage in the first place?
6 Or else the images need caching locally, which seems to be what the app does, in the bloatiest possible way.
7 And, often, with worse accessibility. I’ve not audited the accessibility of this app, but there are things about it that suggest that it’d be harder to use using accessibility technologies than my plain, simple Web version.
I hardly use any mobile apps at all. In fact, the number of non-web apps I use on my phone in any given week I could probably count on one hand, two at the very most.
As far I’m concerned, “there’s an app for that” is a dead end…at least on mobile. Still plenty of room for pro-quality native apps on tablets/laptops/desktops.
It’s gotten to the point that “If you just download our app…” causes me to snap back with “Fuck your app!”.
Menu is only an app? Not worth it, not that hungry.
App required to get the displayed price? No sale.
Phones wouldn’t be so expensive if they didn’t need so much storage for thousands of apps.
It was a while ago, but I think it’s Fridays that lists cheese sticks under “Apps”.
It struck me as really really dumb.
outstanding
Thank you for doing a good thing
https://youtu.be/EqWRaAF6_WY?si=hfaeXjRKL3eQK4cI
> except now there’s no tracking, no ads
Which is probably why they made it an app, much more of a pain to block that crap when they have way more permissions for their code and users much less abilities to block things.
https://www.youtube.com/watch?v=uASUHbFEhWY&t=43s
Fry: I feel like a mindless zombie. I wish I knew how long we’ve been waiting.
Beeler: The eyePhone has an app for that!
Bender: Is there an app for kissin’ my shiny metal ass?
Beeler: Several!
Bender: Ooooooh!
Brilliant!! Made me laugh! “Hold my beer” 😆
same goes for Discord. Forum discussions used to be public, accessible on the web. Now hidden away behind Discord’s centralised account system.
This is the tech geek version of the heartwarming human interest story in the features section of the local newspaper.
the only goal of apps is to rip us of the control we have on our web browsers.
@niconiconi eyePhone, because it’s a surveillance gameboy
Bravo!
You must, whenever you can, avoid the usage of apps. Almost always you can find a website. Do not use TripAdviser, Booking or other go-betweens. It costs you money and all data on your device will be stolen and sold to the highest bidder. And always use a VPN set on a random Country and disable your location.
a level of spite I only aspire to
The Appetisation of what should be web functions was only acceptable before EDGE & 3G and tiny 2″ phone screens. Even in 2008 there were many phone OSes. It’s now just abusive and feeds the Apple /Alphabet (google) duopoly.
the worst of those are where the “app” is basically just scraping THEIR OWN WEBSITE and presentingthe same data and functions in a less-screwed-up way.
This covers nearly every state’s statewide trafiic map app.
@〽️ɪɢᴜᴇʟ much less the “app” is just a fucking Chrome tab made “native” (Electron). You can run Discord minus a few “features” on the web, at that point why not a PWA?
Boss move!
The tracking and the ads are the point.
This is awesome. I’m on an Alaskan cruise that pushes their app for everything. You couldn’t pay me enough to install it.
@Miakoda I think the Friday’s example is only supposed to be an abbreviation for “Appetizers”.
Also yeah, if I can only see the menu or price by installing an app, giving it location permissions, & reading it the three numbers on the back of my debit card, I’m not buying it!
this is wonderful
Aquí cuenta @dan cual es el proceso paso a paso para hacer ingeniería inversa a una app #android
Well done! Wish Ryanair took the same approach, but – nope. Tooth & nail, “MUST install app to get boarding pass, mate,” they said.
Luckily I read the small print and twigged I can still check in on their web page, then collect boarding pass at airport. Queues? You bet! But no corpversion.
I totally agree about app culture. ‘It’s better on the app.’ No it isn’t!
I’m a complete idiot technologically so I don’t know what you did, but if you are fighting the app dictatorship, good!💪
@Haelwenn And also much more illegal.
Apps are often webpages with DRM protections.
This was on my mind when I decided NOT to share the source code of this project, this time…
I once wrote a piece of how ‘documents’ on the Web are most often applications masquerading as documents.
https://blog.danieljanus.pl/web-of-documents/
We need an app that makes DanQs as a service
danq.me/2026/07/09/y…
Read more →
Yup, I absolutely refuse to use any apps that could be a website.
I do most of my online banking on my laptop and don’t have the bank’s app on my phone. I can log into my bank on my phone via the web browser if I really need to, which is rarely.
I do have some app that are my go to’s.
VLC as my media player.
Fossify Notes.
Tune in radio and BBC sounds for radio etc.
this should probably be a movement. A lot of volunteers offering web alternatives to obvious “apps” that shouldn’t be an app. Grab all those and collect them in a single web page.
Cpuld be called something like “there’s a webpage for that”.
ur a badass
Even if I wanted to use ALL THE APPS, I couldn’t. My older Samsung Android phone is almost out of memory with the limited apps I do use.
And that’s after deleting Facebook, Instagram, LinkedIn, and any other apps that I could delete.
If I do need an app while traveling, I quickly delete it afterward. I’m not savvy enough to reverse engineer an app!
the app culture is because even without explicit permission an APP can track you extensively … a webpage cannot.
So you know why now … MONEY xD
@Luna Lactea @Miakoda less apps (applications), more apps (appetizers)
@Miakoda @Morgan Yes!!!
@Miakoda I miss Friday’s, we lost all ours like 12 years ago and now the closest one to us is airside inside DFW, a completely convenient and accessible location…
Obviously at this point I only go to Friday’s when American makes me change planes at Dallas even though Tulsa is also an American hub…
OH MAN o_0 YES 100%
So many people get confused when I refuse to install apps. Some assume I don’t know how to use them or I’m tech illiterate (an older female bias some people have) so I have to explain why they suck. And I explain things like security and privacy concerns.
Seems like every shop and business wants you use their apps.
Also, I won’t eat at restaurants where they don’t take cash and want you to pay digitally ahead of time — some ask for your email address and/or phone number.
If I could, I’d consider ditching the phone altogether — but sadly they’ve become essential in many other ways.
So much this. I don’t want an app for every blooming web page. It’s called a browser. I don’t even want an app for every reward card they’re all in AnycodeWallet.
The meerkat site annoyed this year because I had to install an app to claim a voucher which previously you just did via the website
Brilliant. Using their own shenanigans against them.
You did a reverse-PWA
Appism is Antihumanism
ryan air now requires flyers to download their app to access their boarding pass. 🙄
A true public servant
finally someone with common sense, pointing out the brazen stupidity of others. Well done.
@AskPippa I’m totally with you.
I haven’t run into being asked to pay digitally or for an email address, although I have run into those qr code menus which I won’t use.
I was about to ask where you are when I noticed the Canadian flag in your username.
@Miakoda also, each app adds a background daemon so even if its off, still zapping that battery. And people wonder why the phone’s slow and battery draining
I like the petrol company that wants you to install its app so you can favorite your petrol type. You don’t get discounts, or price updates, and in exchange..
Side note: Your website loads insanely fast!
But but but … how will the vendor spy on you now?
@Mike Shake Shack is one place that won’t take cash. When I told a person behind the counter that I wanted to pay cash she looked at me condescendingly and said “We’re in the digital age now.”
I think she was maybe 19 or 20, and I guess her whole life has been digital.
company replaces an useful SAP vacation approval tool with a damn chatbot in two weeks of notice. I am fuming.
Very amazing.
@SO @Miakoda I go through my phone about once a month and turn off Allow to run in the Background for all the apps
@AskPippa wow!
https://files.mastodon.social/media_attachments/files/116/893/473/011/912/811/original/22274b9e968f7745.mp4
“Do you have our app?” No, fuck that I dont need a discount. “Why don’t you want the app?” K, bye. I really didn’t need a burrito anyway.
@AskPippa @Mike I’ve met such young people too. Apparently they spent their entire time on their phones. Mobile phones, mobile apps, mobile paying, mobile entertainments, that’s their 24/7. Those who still cling to the old physical world is a weirdo to them.
Why would they choose to make an app instead, though. I mean with browsers you’ve two, maybe three targets. Even sounds like extra work.
@Eljorgeabides @Miakoda what I’ve noticed with that has been tht if you do that, then they take even more battery. Not sure if thet or the bit about not ketting them connect unless foregrounded. The latter makes more sense right now as the network code would be looping right? Anyway, that’s what I’ve noticed
lol. I made an app because the webpage needed the browser to stay open to continue listening to the stream. But you’re right in most domains.
(fbi.radio unofficial app in both app stores)
use lockdown traffic mode. Only give network permission to very essential apps that u use daily/regularly.. Like browser, message app (signal). For rest of the apps only give permissions when u need them after the work cut off the permissions again…. Out of 30+ apps I only gave permission to 3 apps… Browser.. Signal & anti-virus for background check connection. I’m also thinking to delete Mastodon app and will use web version of Mastodon through browser,because it has anti feature.
It’s funny. I’ve had the opposite thought before, where some things should be apps. WebUSB and Web Bluetooth (both not available in Firefox) are an abomination.
> I can’t understand how we got to this place with “app culture”
We haven’t. We were forcibly and thoroughly pushed to this place. It was time ca. 10 years ago with this plague, when literally any business believed it needs an “app”. For whatever, even if it is was never really needed – but if you were a serious business, you know, you should have made an app and made your customers use it (by discounts, for example). And then, I guess, the regularly folks just become taught in that way.
@softproof good luck with their bluetooth suitcase scales/label printers that they have now installed in some airports!
ps. https://github.com/Ax6/ryanquack
@〽️ɪɢᴜᴇʟ @nohue You don’t have to use the app. It works fine as a website.
@skaphle @nohue it’s still locked behind their system and one cannot view any content unless you got an account.
LinkedIn: The experience is so much better in the app!
Me: And whose fault is that?
Thank you. So much better for accessible navigation. I don’t use a mobile phone. App driven design is a real pain for disabled folk like me. (not that anyone else is totally like me but you probably get that)
We have a PWA to distribute content. Customers keep asking us for an app.
So much so that management considers a wrapper app for the app stores even though we are already overworked and no one knows who should do the additional work that comes with it (me, probably).
Of course Apple doesn’t help with their stance towards supporting PWA features.
Somehow when we say “unfortunately that doesn’t work on an iPhone”, people do not blame Apple for it, neither do they stop buying iPhones.
Am I the only person here who thinks that datacenters and servers are ugly?
thank you for your service
While #Wimbledon may have made it hard to find the right bit of their web site while trying to get you to install their app, at least it could be done.
A nice story from Dan on dealing with being forced to an app for some basic critical functionality … As someone who uses a handset that isn’t directly Android or Apple based I approve of this. 🔗
I think the main reason people build apps instead of websites is the “native” feel for mobile phones, and have an icon for yourself on the home screen instead of opening a browser and typing your own.
Of course you can do a PWA, but then you are encouraged to make an APK out of it (with Bubblewrap or pwabuilder.com) so people can “just install it” from GPlay, instead of going through the browser to find darn option
This is solid reverse-engineering, bypassing the platform, building something small … love it.
My company has had a mobile app since day one (10+ years ago). Initially it was a first class citizen, with the web app second. We didn’t even have a mobile friendly web app. Over the years we got constant feedback that people didn’t want to install an app. We made our site mobile friendly and went from large mobile dev team to one dev doing basic maintenance on the mobile app. We didn’t get rid of it, but it’s just an option and not something we push people to.
It’s not because my company is so awesome and aligned to doing the best thing for everyone. We just heard constant complaints so it was a no-brainer to back burner the mobile app.
@Lamotum @Mike Yeah. And when I talk about privacy issues I often get “Nah, not worried about a few advertisers wanting to sell me things.” Back in the day I had a similar attitude — then I learned more about the implications and dangers.
Right? Sonder was one of the worst offenders for that, hounding you to download their app and view updates repeatedly starting immediately after you made your reservation, even if it was still weeks away. Hard Nope.
@Jack LinkedIn will now forcibly close the tab on mobile browsers if you don’t agree to download the app.
@bill whoa wtf? not experienced this yet on Firefox for Android but ffs screw em
@Garbys I can answer that! Power. With an app, you can basically own that device. Most people don’t read all the permissions they accept, but our App (internal) is designed for our field workers to take pictures of construction sites before/after and do timesheets, etc… With our App, we were able to track where they were all the time, access the files on their phones, sync things off our servers onto their phones without permission. Run in the background all the time. View all their contacts, email, texts, etc… Show popups and adds whenever they want. Companies sell this access and data.
So, it *IS* a pain, but you have a MASSIVE amount of power. So when a company is like, “Sorry, you can’t go to this linked in page or this facebook page without our app….”, that is 100% because it *benefits them more than the cost*
I develop shit like this for a living (internal systems only) and I am disgusted by most companies who abuse it. I hope PWAs become the norm.
@GOKU What is this “lockdown traffic mode”? Google isn’t finding anything like that native on Android (maybe they’re hiding it from search?) Or is this in a specific firewall app? I would love to be able to set network restrictions (and cell data restrictions, wifi only) on a per-app basis.
👍 * 1000 on Dan’s original post.
@bill @jack If this is true, then I’m never going back to LinkedIn. I haven’t used it for years anyway.
THANK YOU!
eBay nags me to install the app every damn day. It drives me crazy. I use a laptop with a conveniently large keyboard and nice big screen. Why would I want to DOWNGRADE my UX?
@Mike Torr @jack I have experienced it several times. I can’t screen cap it without leaking personal info, but I just tested again. The “bottom sheet” element appears. If you tap ANYWHERE the tab closes. I’m using Vivaldi on Android.
Interestingly, going back to LinkedIn after, I was able to browse much longer without encountering that UI element.
@bill @Mike Torr What I’ve found is that pane adds an anchor link to the URL and closing it performs a browser “back” navigation and maybe that closes the tab in Vivaldi but just reverts the URL on Android
it does often end up in a state where I cannot interact with anything on the page until I reload the tab
@Snippety Snap same here, my Samsung just isn’t app friendly 😂, the other day there was a girl outside the local supermarket, trying to catch naive innocents to stick another app on their device, claiming a variety of discounts and specials the app apparently entitles you to, she was using aggressive marketing strategy, basically just accosting shoppers at the entrance. I also spotted an AI phone cleaner app. Tried to install it and realized it’s not free…I’m waiting for the day when we discard digital devices:) and the silly-con valley is but a distant memory.
@jack @bill Thanks for the info! Sounds like it COULD just be bad design, maybe.
I went to check it just now, and found that it’s rejecting my password. Hmm… maybe I actually closed my account already and forgot :-|
@jack @Mike Torr That’s interesting, it always felt like a bug but it’s been that way for so long that I assumed it was by design…
Vivaldi is a chromium fork, AFAIK, so I’m a bit surprised back navigation behavior would deviate from Chrome in this way.
Proprietary apps allow corporations to bypass the privacy and security settings and adblockers that I have installed in my browser. That’s why they want proprietary apps.
Comments [https://lobste.rs/s/vhbvwc/i_converted_android_app_webpage]
Read more →
I converted an Android app to a webpage via @abnv https://lobste.rs/s/vhbvwc #mobile #web
https://danq.me/2026/07/09/your-app-could-have-been-a-webpage/
mobile
web
I converted an Android app to a webpage
Read more →
great job. Thank you for taking one for the team and sharing your knowledge
Traveling in Japan this Summer, I learned the word: ‘App-pu-ree’. This is the Japanese borrowed word for mobile App. Every restaurant, public transit outfit, museum, hotel, taxi, grocery store wants you to download and install their App-pu-ree. This is the Summer of App-pu-ree bullshit. And I am refusing to install, use any of them.
Great work, I’m glad I’m not alone in being sick of this app bloat nonsense, for what’s otherwise a webpage.
Creating a shortcut on Android devices is very obfuscated to users, so I’m generally not terribly surprised companies prefer apps. But this is a case where you’re distributing a password presumably via text alongside a link to an app. This would be an ideal web app! Link to the password page directly and call it done.
/e/OS has a “web apps” section on their app store for Google Maps web, etc. PWAs are fairly easy to use, but I’m not sure what the default Chrome Android, or even vendor Android, does in terms of prompting to create a shortcut and making it discoverable.
Clearly the users aren’t being served here though, and I’m not sure what we need to do to help them.
To complete the comedy: What even is the difference between an app and a webpage to the average user (read: computer illiteral person)? It’s the shortcut on the desktop/homescreen.
If only you could ship a desktop shortcut to your webpage, that would be a very inexpensive way to develop an app, and what probably most apps could have been.
@anordal If you have a webpage open in Safari on iOS, you can click the share button, “View More” and then “Add to Home Screen”. It adds an icon to the home screen. Tapping the icon does not open another browser tab but rather spawns a standalone window, like a regular app.
This is how I distribute my “home-cooked” family expenses tool without publishing to App Store.
This is due to Intellectual Property laws that enshittificate the market thanks to one on forbidding to reverse engineer mobile application:
https://www.pcmag.com/news/cory-doctorows-plan-for-a-better-internet-legalize-jailbreaking-modding
@jack @Mike Torr
Confirmed that the browser back navigation works “as expected” on Chrome, Firefox, and Samsung Internet on an Android phone, so this must be a Vivaldi specific issue (which I still find strange).
*I say “as expected” because it still resets your whole damn feed, which is a different kind of user hostility…
@n3t I find it amusing that, originally, Steve Jobs claimed that web apps were so good that you wouldn’t need native apps and would just write web apps for the iPhone and now Apple’s approval process is so painful that people prefer to write web apps for the iPhone.
@david_chisnall I thought of that story, too, but I’m wondering to what extent it was his genuine belief, versus needing to say something because they didn’t yet have a software distribution method he liked.
Reading this 9to5mac post from 2011, it seems at least part of the issue was he didn’t think they had the moderation bandwidth (which of course presupposes that they had to have a centralised, monopolistic app distribution platform to begin with).
Tangentially, there’s also this bit at the end:
I had a number of Symbian phones in the 2000s, and there definitely were apps clearly made by just regular people. Yes, they way you found out about them was from “best applications for your Nokia smartphone” type websites (of varying levels of jank), or enthusiast forums, so discovery was hard if you didn’t know about those. But once you had a link to a .sis or whatever, you just downloaded and installed the thing.
I guess those phones were never popular in the US, where carriers did control everything.
@lake
This was also the reason I didn’t think the iPhone would be successful. The US carrier environment made it really hard for any phone to show of its benefits and a phone designed for that environment would appear very bad in the rest of the world. I didn’t take into account how much Jobs would be able to persuade AT&T. Even then, the iPhone was pretty bad. It didn’t support 3G (my old Nokia did), it didn’t sync with the Mac without a cloud thing (my old Nokia did), it couldn’t make SIP calls over WiFi (my old Nokia did), it couldn’t run third-party apps out of the box (my old Nokia did). It wasn’t until Apple shipped the iPhone 3G and removed iSync from OS X that they reached parity.
@david_chisnall I wouldn’t mind the approval process itself that much* but I do mind having to buy a macOS machine and paying Apple ~€100/year just to publish something in App Store.
* Although I do think that sideloading should be available.
@n3t I must be doing something wrong: I added weather.gov to my iOS Home Screen using this approach, and it does indeed open a new tab in Mobile Safari.
@Teckla Are you running an older version of iOS? Before version 26 it required a web app manifest to open a web page in stand-alone mode, but it was changed to use app mode by default for web pages opened via home screen icons.
@fanf I’m on iOS 26.
I deleted it from the home screen and added it back again — now it opens in its own window!
Perhaps it was opening in a Mobile Safari tab because I added it to my home screen a long time ago?
So many “apps” could just be webpages. It’s incredibly frustrating how many dumb things now require installing an app for no reason. Or the systems that could use an app to do local device connections but instead use an app that goes through a central server to communicate with a local device connections- thus defeating the only justification for having an app.
Sigh. Original iPhone intended webpages to be the app platform but instead we have the modern garbage.
My mobile network provider used to offer a fully functional web backend to manage the contract (invoices, book packages, etc.).
However, a few months ago they shut this down and now force you to install the app, even to view invoices, etc.
@Lamotum @Mike Ikea no longer accepts cash at their stores. And it’s all self-checkout.
I appreciate the sentiment and prefer to use websites instead of installing another stinkin’ app. I’ll even enable desktop mode if necessary. Mobile apps have one advantage that I can discern: fewer clicks to get to what you want for those who don’t want to fuss.
all services should be available via the web, without any smartphone. having an app is fine, but the website should have all of the features
also none of that remote attestation drm bullshit. fuck remote attestaton
Just because you can doesn’t mean you should. Leave it to the corpos to over-complicate a simple itinerary for invasive and annoying reasons.
I think the post both directly and indirectly answers its own question when it states that the app does two things:
It’s a lot easier to be user-hostile with an app than a website, and a lot harder for the average user to detect or block the bad behavior. Just about everyone at this point knows how to install a content blocker, open dev tools, and block stuff with their browser. The number of people with the ability, time, and energy to circumvent cert-pinning and inspect an app’s traffic like this guy did is significantly smaller.
There’s a reason why every company is constantly shoving apps down our throats and telling us all the cool young people are mobile-first.
Wait, what? LOL
Read more →
If it was not a native app the API would have to be less shit
Read more →
This is very good research, I wish it was easier though
Read more →
Old fashioned I know, but why is it a website, just email me, if something changes email me the update… why are you makeing a job for me in remebering to go check a thing when all the relevent info and updates could just be sent straight to me in an email…
100%. This could have absolutely been an email.
They’re trying to communicate with a disparate group that are already connected over WhatsApp, though… but that could still have worked. This could absolutely have been a WhatsApp message.
But failing all of the above: this could absolutely have been a web page.
Doesn’t even need a whole site. One page. Could have been a shared-to-view Google Doc, for example.
An app? Way out.
Great job! I’ve thought about automating a process like this – something which gives you a window into an app’s content via a website, cached and all so it just feels like the web.
Also I recently had to uninstall 20 apps like this to update iOS…
On the it could have been an email.
Wish I could get people back from the grip of apps like WhatsCRApp.
And it’s not as if they provide apps for my main phone (using Ubuntu Touch).
Nice article…
Do you plan at any point a more generic work through of the process used here, such that anyone comfortable with terminal commands could apply a similar workflow to ANY “app” they found themselves being told they “needed” for which the thing is very clearly nothing but a more inconvenient version of a webpage. Wondering if there’s a universally applicable version of this concept, especially of relevance to disabled users who use nothing but a desktop (for sake of various accessibility features available on a system you have real root control of). A no-phone workflow to turn apps in to desktop-viewable pages. Thanks
I suspect that this walkthrough’s as generic as it gets: (1) sniff the traffic the app sends/receives, (2) work out what it “means”, (3) do what needs to be done with it. Only the first part of that is universal; everything else may vary from app to app.
Would you consider writing a skill file for the Android reverse engineering parts of this so that we can get Opus or Fable to do it for us?
QUESTION – For Dan or anyone knowledgeable, in Android Device Manager, there is no option for a Google Play Store version of API 33 Android 13 for Pixel 6 Pro. Does anyone know what the exact device, API, Android version and ABI was used for this setup? When I selected Pixel 7 Pro x86_64 with API 33 Android 13, it installs and I can root magisk with rootAVD but the travel app in question says it can not be installed on that device. The exact device config would be very helpful. Thanks ahead of time.