Being a cat-and-mouse game, would the reaction from the app-owner be to shift the computation to methods that are not discernable by dissection of the app?
For example having the app be purely a data collection tool which then streams it to the server to do all computation?
No. Any sane engineering team would have built it that way in the first place, so they almost certainly don't have the competence to change it now, or possibly even to understand your question.
The reverse engineering is really secondary to the regulatory regime. The company in this story had already been investigated and fined before anyone had tried to reverse-engineer their app.
It's an offence under GDPR to fail to cooperate with a supervisory authority. There are extensive record-keeping and transparency requirements. Trying to play cat-and-mouse is itself illegal and likely to be legible to the regulator.
I think that would be the case if the employer was doing this on purpose.
I would bet this is more a case of business goals being met by dev teams in the quickest and easiest way possible, without anyone providing legal or regulatory oversight to ensure the implementation is complying with required laws.
That's not any kind of justification or excuse though!
Not so fast, Frida can be detected.. you need to deal with those detection vectors first.
I'd not be surprised if the next version of the app included an "integrity proctection" added officially in order to "protect couriers' security".. these can be bypassed, but it shows that exposing your tools is not always a wise move.
Being a cat-and-mouse game, would the reaction from the app-owner be to shift the computation to methods that are not discernable by dissection of the app?
For example having the app be purely a data collection tool which then streams it to the server to do all computation?
No. Any sane engineering team would have built it that way in the first place, so they almost certainly don't have the competence to change it now, or possibly even to understand your question.
The reverse engineering is really secondary to the regulatory regime. The company in this story had already been investigated and fined before anyone had tried to reverse-engineer their app.
It's an offence under GDPR to fail to cooperate with a supervisory authority. There are extensive record-keeping and transparency requirements. Trying to play cat-and-mouse is itself illegal and likely to be legible to the regulator.
https://gdpr-info.eu/art-30-gdpr/
I think that would be the case if the employer was doing this on purpose.
I would bet this is more a case of business goals being met by dev teams in the quickest and easiest way possible, without anyone providing legal or regulatory oversight to ensure the implementation is complying with required laws.
That's not any kind of justification or excuse though!
Not so fast, Frida can be detected.. you need to deal with those detection vectors first.
I'd not be surprised if the next version of the app included an "integrity proctection" added officially in order to "protect couriers' security".. these can be bypassed, but it shows that exposing your tools is not always a wise move.