Raccoon v4.1.3 should fix the no download problem

Just a quick heads up. Raccoon v4.1.3 should fix the “app not downloading” issue that has arisen yesterday. However, I’m currently in a rush and don’t have time for a proper, tested release.

PS: If you haven’t done so already, now would be a really good time to buy a premium key. Your money is what keeps the project alive.

Posted in Coding

Raccoon: app search works, download doesn’t

Well folks, we need to talk. Today, I opened my mail client and was greeted with a “Raccoon is broken, fix it!” message. Most of the time that’s the result of a handling error, but once in a while, usually twice a year, Google actually changes something, causing Raccoon to stop working. Figuring out what what that something is, can easily take several days of research. Read more ›

Posted in Coding

Do not use fingerprint sensors! Period!

I had this discussion with a friend the other day, who is now the proud owner of a fingerprint protected front door and smartphone, but since fingerprint scanners are creeping into more and more security appliances, it is worth repeating it here. Read more ›

Posted in Security

Where does Raccoon store my credentials (and how can I view them)?

People ask (me) fairly often, how Raccoon handles their Google account (and if it’s safe to trust the software with their passwords). From my point of view, that’s a funny question. I’m always tempted to answer: “if the idea of loosing your account sounds scary to you, then maybe you already trusted Google too much!”. But that’s a discussion for another day. Read more ›

Posted in Tips and Tricks

Exporting Apps from Raccoon (into F-Droid repositories,…)

The question came up in a support request, but is probably interesting enough to blog about: “How do I write a script to copy apps from Raccoon‘s own repository to some place else?” Read more ›

Posted in Coding, Tips and Tricks

Let there be hackjob (DummyDroid updated)…

The plan was to rewrite DummyDroid from scratch, get rid of the ugly code and make it more userfriendly (ideally let it clone a device via USB) while I’m at it. Unfortunately, that would have taken several weeks (yes, the code rot is that bad) and in the meantime, no one would have been able to generate GSF IDs for mock devices (there are/were alternatives to DummyDroid, but I don’t think their respective authors bothered adapting to Google’s changed login procedure, yet). So, hack job time!

DummyDroid v1.2 is a case of “it compiles, ship it”. Cobbled together by merging in some code from Raccoon, compiled by guessing how the build process was suppose to work, using a source tree that’s in disarray. I’m not proud of it. I probably won’t bother cleaning things up, so no source code at the moment, either. This is only a temporary solution anyways.

Posted in Coding

Hillarious

Sometimes you find really funny stuff in your junkmail folder…

We are the Team Xball and we have chosen your website/network as target for our next DDoS attack.

Unfortunately your data was leaked in the recent hacking of the web site and we now have your information.
We have DataBase tax forms, DOB, Names, Addresses, Credit card details, bank account full details and more sensitive data.
Now, we can publish your details and your clients online who would damage the rating of the company
and would create many problems for you.
On Friday 16_06_2017_7:00p.m. GMT !!! We begin to attack your network servers and computers
We will produce a powerful DDoS attack – up to 250 Gbps
All data will be encrypted on computers Crypto-Ransomware
You can stop the attack beginning, if payment 1 bitcoin (2900 $).
Do you have time to pay. If you do not pay before the attack 1 bitcoin the price will increase to 10 bitcoins

Please send the bitcoin to the following Bitcoin address:
15sT9PaqautokcmSFbRCToLWeX7SAR2rww
Once you have paid we will automatically get informed that it was your payment.

What if I don’t pay?
If you decide not to pay, we will start the attack at the indicated date and uphold it until you do, there’s no counter measure to this, you will only end up wasting more money trying to find a solution. We will completely destroy your reputation amongst google and your customers and make sure your website will remain offline until you pay. We can publish your DataBase.
This is not a hoax, do not reply to this email, don’t try to reason or negotiate, we will not read any replies. Once you have paid we won’t start the attack and you will never hear from us again!
Please note that Bitcoin is anonymous and no one will find out that you have complied.

The noteworthy thing: this went to a burner address I used years ago. So I’m not particularly worried about team goofball following up on their threat (or even being capable of operating anything more complicated than their junkmail script for that matter).

Posted in Humor

The more I see of Android, the less convinced I am that Google only hires the smartest and the brightest

Today I log into Play to check on my apps. I am greeted by an updated design, twice as slow as the previous one, but hey, at least it’s material design now and I can waste some additional time on getting my bearings. What do I find after stumbling around for a bit? A menu item named Release Management|App Signing, where I can upload my APK signing key! Are you freaking kidding me?!

APK signing is already utterly broken with Android. The only reason for still bothering with it was so that no government could tell Google: “We want to wiretap user X. We know he uses app Y for communication. Here is a trojaned version of Y, push it to him as an update.” As long as Google didn’t have the signing key, they could simply tell any government: “not possible” and that would be it. Now they can (at least for those apps, where developers are stupid enough to relinquish their keys).

I can kinda see why Google added that feature to Play. Key management is a hassle and most Android “developers” are gold diggers with inferior technical skill who don’t understand cryptography. Those developers who actually do understand how app signing works, rather don’t want to bother with a broken by design system. The sensible solution here would have been to slowly phase out app signing, not to break the system even more!

Posted in Android, Rants

DummyDroid is still broken, by the way (in case you need to create a custom GSF ID).

Just so there’s no confusion: The same issue that has been preventing APK downloaders from logging in to Play lately also affects DummyDroid. I didn’t have the time to port the fix over from Raccoon, yet.

The unfortunate thing about DummyDroid is that it’s codebase is about as horrible as it’s usability. So it’s probably the right time now to finally start with that long since overdue rewrite of the application.

What you can do in the meantime:

  1. Start Raccoon
  2. From the menubar, select Help|Unlock features
  3. Complete the checkout process.

Yes, pummeling me with your wallet actually is the way to get me to work for you.

Posted in Android, Tinkering

Let’s talk about Raccoon v4.1.1

As probably everyone has noticed by now, pretty much all APK downloaders (not just Raccoon) have been started to fail lately. I don’t want to go into the technical details, but the reason for this is a recent change by Google to how apps have to log in to Play.

Figuring out how the “secret handshake” must be done now took me about one rather stressful week. Android, under the hood, simply isn’t pretty or easy to debug.

I’d like to thank everyone who decided to fund research and development of the Raccoon by buying a premium key. I’d also like to encourage everyone, who hasn’t done so far (the majority of users) to reconsider and upgrade as well.

Let me make one thing perfectly clear: Android is a moving target. This isn’t the first time, Google breaks Raccoon. It won’t be the last time either. However, my ability to fix things in a timely manner is limited by what is economically feasible. Making and distributing a software, such as Raccoon, is anything but trivial and it can only be done with the financial backup of paying customers. Even if you only need the basic features, buying premium is money well spent.

PS: Yes, I know, Paypal isn’t an option for everyone. In fact, I was working on adding credit card payment and bank wire transfer when Google decided to break things.

Posted in Android, Tinkering