Developer Reverse-Engineers Travel App, Turns It Into a Simple Webpage
Original: Your 'app' could have been a webpage (so I fixed it for you)
Why This Matters
Highlights growing developer pushback against app-only distribution of simple web content, and demonstrates practical privacy-focused alternatives via traffic interception.
Developer Dan Q intercepted network traffic from the Travelbound Android app, discovered it served only text, images, and PDF links via a simple JSON API, and rebuilt the entire itinerary as a static HTML page using a Ruby/Cron script—eliminating ads and tracking.
Dan Q, a developer whose children were required to install the Travelbound app to access a Disneyland trip itinerary, objected to what he described as unnecessary app overhead for content that is purely text, images, and PDF links. He identified two specific anti-features: Google Account-linked tracking data sent to developers, and advertisements for other trips labeled 'inspirations.'
To build an alternative, Q set up a rooted Android Virtual Device using Android Studio and rootAVD, then routed traffic through HTTP Toolkit to intercept the app's API calls. He found the app authenticates by concatenating username and password into a URL pattern: https://travelbound.api.vamoos.com/api/itineraries/{username}-{password}, which returns a JSON payload containing itinerary legs, advertisement overlays, and referenced media files.
Q wrote a Ruby script scheduled via Cron to periodically fetch the JSON—necessary because S3 image URLs carry short expiration times—and render it as a static HTML page, deliberately omitting the 'inspirations' advertisement array. The result is a printable, bookmarkable, copy-pastable, and broadly accessible document with no ads or tracking.