PiunikaWeb has suffered a massive technical glitch. It’s a tough time for us, and we are doing whatever it takes to get the website back to its original form. This is an older snapshot of the original article which is being continuously updated. Thanks for your patience.

Let’s start with a formal introduction: I’m Kingshuk ‘Tito’ De from PiunikaWeb, interviewing Arjan Vlek, developer of Cyanogen & Oxygen Updater. Now it’s your turn.

Hi, i’m Arjan Vlek. I live in the Netherlands and love computers and making music. When I was young I always wanted to play some computer games, and later on I was all into playing keyboard / piano as well. Then, I started to write computer programs. As you may guess, I’m not the typical guy you’ll find around, but nonetheless I think life is an amazing thing to enjoy.

Given the popularity of OnePlus phones and their somewhat ‘weird’ OTA distribution policy, Oxygen Updater is quite popular among users. As the developer behind it, how do you explain the urge to create such an app?

Well, when I just had my OnePlus One I was always interested in new updates and trying new stuff. So when a new update came out I always installed it immediately and checked the forums to see what was new. As for the apps, I was actually inspired by a post on the OnePlus forums (https://forums.oneplus.com/threads/cyanogen-os-ota-status-tracking-page.304062/). This was about a website which offered update rollout statistics for Cyanogen OS users (remember: the very first OnePlus device, the OnePlus One, actually ran Cyanogen OS instead of Oxygen OS). But: that website required users to constantly check for themselves if a new update was available, as it did not offer push notifications. Also, it completely lacked information on how to actually install the updates on your device. Shortly said: It was accurate, but very technical. So: I wanted to create something more practical and user-friendly for the OnePlus community.

So it all started with an update website for the (now defunct) Cyanogen OS. Do you think perhaps OnePlus drew inspiration from Cyanogen OS and incorporated some of its feature in Oxygen OS?

Surely, I do think OnePlus drew inspiration from Cyanogen software as it always allowed users to customize things on their phone. It were those things like off-screen gestures, switching between software / hardware buttons and notification center customization which were highly rewarded by Cyanogen users and later brought to OxygenOS. But: it went not as far as Cyanogen once did. For example: I believe the Themes section was never ported over to it.

Umm… I’m changing the course (of interview) a little bit, how did you get interested in Android development? Oh, and any other type of developments?

I followed a minor course on Android development during my Software Engineering education, as i always liked to tinker with phones and now could start writing my own apps. As for other types of development (Java, PHP), I started those a bit earlier because i loved computers and wanted to make my own programs for them. But I also mainly learned them during my study and my job.

How are you making a living? Indie or professional development?

I am employed as a software engineer at 42 B.V, a local company which builds business software using Java and various other frameworks / tools. The app development business was mostly started during my study and greatly helped improving my development skills. However, the apps never earned that much money so I preferred the safety of a contract-based job over it.

Would you have any opinion on Google’s current Developer Policy, the ‘questionable’ steps taken by them in recent past and the state of indie development?

I almost never read / monitor those policies, unless required for legal reasons.(i.e. providing a privacy policy and sticking to the SDK as much as possible). Google never rejected an update of my app, not even when I introduced the automatic update installation feature of Oxygen Updater which requires root access.

Back to the OTA tracking thing, perhaps it’s time to tell how we two discovered the other one and started contributing together! 😉

Well, that’s kinda interesting. We met when the Cyanogen Update tracker app broke down in November, 2015. Cyanogen had started requiring a key to access its FOTA (update) API, so we could no longer access it to retrieve update information in real-time. I had almost given up on the project when you sent me an email saying “I can help you find updates and research a possible solution”. From then on, we worked together to fix and improve the apps. And boy we did. We fixed Cyanogen Update Tracker and I was amazed how much you knew about mobile devices, software and especially the low-level stuff, such as firmware and rooting. Since we met you always helped me with the stuff which was above my knowledge level. Later on, in return, you used the software I made to manage the apps to mirror the imported updates for our community.

Making it slightly more technical, perhaps you can elaborate the behind-the-curtain workflow of Oxygen Updater for our readers.

When you use the oxygen updater app, it connects to its own server running a MySQL database, using a PHP api. This database contains all the update information which the server refreshes twice per hour from the OnePlus update servers (using a Java application). When a new version gets found, it gets added to the database and a push notification is automatically sent to all app users This technique is used to reduce both the load on OnePlus’ servers (by app users opening my apps) and to reduce the amount of required work on my side (by automatically importing the updates). The only thing I don’t host myself are the downloads (zips) of the updates, as that would require a huge CDN server of which the costs cannot be covered by the profit of the apps.

That said, server budgets have always been limited, especially in the beginning of this project. The ads in the apps never earned that much money, so I had to be a bit creative.

I started with a Raspberry PI I already had, with it only sending push notifications when a new Cyanogen version came out. Back then, all app users directly connected to a Cyanogen API which always showed the latest version, bypassing the staged rollout. Later, when the key was placed on that API, we needed to host our own database and a new way to obtain update information. We looked a bit inside of the code of the Cyanogen software (reverse engineering) and then found another server which also worked, but only provided a staged rollout based on a device ID (but you could just send a random set of numbers each time to skip the staged rollout).

As for the dedicated app server, I initially started that on an old Toughbook laptop I had once gotten from a relative (written of by his car company, but was still super reliable and power efficient). But it was old and slow so I quickly moved to a VPS once the app made enough money and I found cheaper VPS servers outside of my country

Reversing Java bytecodes, hosting your first server on a Toughbook – man, these are something!

Yeah, it was really an adventure on its own. I feel kinda crazy of what I did back then, now that we have everything set up so much better. The decompilation of software was one of the hardest things of my project. I remember how hard it was, but how great it felt, to finally be able to take a look under the hood for the first time.

IIRC, someone with an adventurous mind did distribute a modded version of Oxygen Updater apk in recent past – stripping down Google Analytics, AdMob modules and such. What’s your point of view on it?

Well, that was not a nice movement after all. If he would only have removed the Analytics i wouldn’t have cared much. But by removing AdMob, he removed the sole way of generating income from the app. If many people were to use this modified app it would meant that I get nothing for it in return. So i had no other option than to force him to take the modded version offline. Luckily the guy did so, and later told me he was a bit too much obsessed by privacy and security, and I believe he thought that Google was evil. As a return, I decided to disable the Analytics as I never used them and these were in fact bad for user’s privacy.

And now the elephant in the room! Oxygen Updater is not properly supporting OnePlus’s new OTA mechanism. Can you please give us some insights?

Well, firstly OxygenOS (not Cyanogen OS!) had always used a pretty crappy OTA mechanism. It lacked HTTPs, which meant it sent your IMEI over a connection without any security at all (so any man-in-the-middle attacker could potentially steal it). OnePlus did this from the very beginning (that is, in 2015 when the OnePlus 2 came out) until september / october of 2018. Now, they’ve finally geared up their security. They’re using HTTPS now and are also sending the request body (that is: the piece of text containing the IMEI number and your current system version) fully encrypted. In terms of user security, this is a really good movement. But: in terms of the Oxygen Updater app, it is catastrophical. It means my server can no longer talk to the OnePlus server to import new update versions. The encryption is strong (AES) and reverse engineering it is not legal in my country. This means I cannot and will never do that. The only fix would be if OnePlus were to cooperate with me and give a (specialized) access key for my app, or if a large team of volunteers want to maintain the database by manually adding the update details of all newly released versions.

Interestingly OnePlus maintains two variations of their OS – Oxygen OS for the international market and Hydrogen OS for Chinese market. There was a talk to merge them up for faster update, but it still seems far fetched. As a software engineer, what’s your opinion on that?

I don’t think it’s too bad after all. China is a completely different country to most Western countries and India. It is a country in which you can barely use any services from Google. So you’ll at least need alternatives to Google Play, Google Maps, Gmail and Youtube. By offering a specialized OS version, OnePlus can at least bundle the “Chinese” alternatives to these apps with every phone, out-of-the-box. This should make people within China feel more comfortable when using their phone, than if they were getting one on which most apps don’t work at all.

In fact one of the CDN for OTA distribution is used for OPPO’s ColorOS as well. No need to dig through corporate shenanigans – we know you guys are connected. 😀

Yes, I know OnePlus and OPPO are connected. But I don’t care too much about it. As long as they both keep creating good products I’m happy with it. I only think OnePlus should let go of the “we are a small startup” mindset they still sometimes pose on their forums, as they are in business for almost 5 years now and have sold millions of phones already.

Has any representative from OnePlus ever contacted you?

Nope! Not once. I only recently contacted their Dutch community manager on my own, to see if we can arrange something for the Oxygen Updater situation, but he was not very positive on it. He earlier said to a friend of me that he loved using Oxygen Updater, but to me he literally said that “it’s better for us that users update using the standard updates only, as newbies would otherwise be installing incompatible builds on their devices”. But if that were to be true, they would either be sending beta builds on their production systems or at least some group of people would be getting them when they are the first to receive an update. But I don’t believe his reasoning and think they’re just not allowed to open up the API for other apps.

OnePlus has been subject to multiple security vulnerabilities in recent past. Thing is, the

way we use the OTA tracking was possible due to insecure implementation. I’m just wondering, why it’s the Chinese OEMs most of the times?

I don’t see a correlation between Chinese OEMS and security, as for example Apple had some serious security flaws last year as well. Remember the bug on which you could get root access on a Mac just by typing no password? And where the disk encryption password was visible in plain text? I do believe some cheaper manufactures save money on security, but to say it’s mostly Chinese OEMS is not true. Or well, maybe there are more cheaper OEMs in China than any other country. But then it still lies within the fact they’ve got to save some pennies somewhere.

Well well well, (the obvious question) which OnePlus phone(s) do you have? Or any other devices?

I hope I’m not going to disappoint you, but I have to talk something personal in my answer. I only have bought a OnePlus One. I still use that for testing my app, but it’s not my daily driver anymore. I have used it as my daily driver from December 31, 2014 until April, 2018 and really enjoyed it.

Now, I use an iPhone 8. Yes, you’ll read that right! This is where I have to admit something personal. In the last months of using the OPO, I started to customize it less and less. I used the stock launcher. I used the stock theme. I used almost no Android-only apps except testing my own apps. It was all I needed, but the phone was also getting less stable: sometimes the battery drained very fast, the phone had to be restarted quite often to re-enable mobile data, and the phone had always been very big for my tiny hands. But the most important reason: If I would have bought a new OnePlus device, I am afraid the app business would have taken over my life too much. Remember that I have a job and love making music as well. Part of making music is being a pianist of a church choir. Cyanogen Update Tracker and Oxygen Updater were means for me to improve my development and user support skills (some courses on these were awfully bad). They were fun to make during my study and for a while after as well.

But as of a while, I’ve been feeling more and more tired of answering the constant stream of user questions and the high responsibility I have. The joy to develop the app alongside my job has decreased a lot. That’s something a lot of people face (my colleagues and guys in chats / forums experience the same), so I needed to find a balance between work, hobbies and social life. With OU not being on my main phone, I can choose when I want to work on it. I just need to take my OPO, flip it on and then I can safely work on it without risking to lose my personal data (due to rooting or flashing required to test). On demand, that’s how I like to call it.

You might wonder why I did not start my own company and make the apps part of it. But without a formal agreement between me and OnePlus on using their update API, I cannot start a registered company on this project and I don’t think it will on its own provide enough income to earn my living.

As for owning Apple / iOS stuff, I already had an iPod touch in 2009 (when almost nobody had any smartphones at all) and have had an iPad since 2013 which has worked (and still works!) brilliantly. In fact, that iPad got 5 years of OS updates without delayed rollouts (and need of updater apps!). I could just go to Settings -> Software update and see it pop up right away. In my opinion, this is something no single Android manufacturer offers today.

Ever explored the field of custom ROM development?

I tried some ROMs on my OPO to test different Android versions but was never too keen on them. When my OPO was my daily driver I just wanted to use it and not having to reset / restore all my data every time. I did try some ROMs on a previous test device (Galaxy S4, which was already in bad shape when i got it), but that was more out of curiosity than actually using them. As for developing any roms myself: I’ve never done that.

However, in the past, I jailbroke my iPod touch to set a wallpaper on it (when that was not possible!), to add widgets and to install a custom theme on it. I really loved how the iOS jailbreak scene offered an easy-to-use storefront to install almost all mods through (Cydia). In Android / XDA land, you’ll still have to search a lot of things for yourself. Maybe the only thing that comes close to this, is the Xposed ecosystem with a built in plugin searcher.

Just curious: why did you choose ‘headsh0t95’ as the username in XDA?

That’s been my Steam / game nickname since 2010. I just use it on a lot of places.

I guess that’s it for now! Good luck for your developments and future works. 🙂

Thank you. It was a pleasure to share more of my journey with you!

Can be reached on:

Discord support channel. *LIMITED*

XDA. *LIMITED*

OnePlus forums.

Follow @PiunikaWeb

PiunikaWeb is a unique initiative that mainly focuses on investigative journalism. This means we do a lot of hard work to come up with news stories that are either ‘exclusive,’ ‘breaking,’ or ‘curated’ in nature. Perhaps that’s the reason our work has been picked by the likes of Forbes, Foxnews, Gizmodo, TechCrunch, Engadget, The Verge, Macrumors, and more. Do take a tour of our website to get a feel of our work. And if you like what we do, stay connected with us on Twitter (@PiunikaWeb) and other social media channels to receive timely updates on stories we publish.