Beta testing of WebUSBUnpinner - a tool to investigate platform worker's privacy and rights violations

16 points by chobeat

mtlynch

Reversing.works is looking for technical beta testers. Help us empower workers against their employer’s surveillance by testing our tool WebUSB Unpinner.

They really need a better explain of what this is. Nothing in this post explains what this tool is meant to do or who it benefits, aside from "workers."

chobeat

there's an explainer linked in the post: https://reversing.works/posts/2025/12/webusb-unpinner-network-analysis-for-the-masses/

riking

The naming of Unpinner is unclear but I assume it's named after TLS certificate pinning?

The use of ADB to only redirect a single apps network traffic is pretty cool though.

lina

I couldn't even tell if it's redirecting itself or just unpinning without reading the code, but apparently it is. It hooks the libc socket functions (I think?) to redirect connections only from the targeted process to the proxy.

Clever, but as the sibling post says... yeah, this needs a way better explanation. I'm a reverse engineer and even I couldn't figure out at first glance what this is actually doing and what's going on over the WebUSB connection (answer: just app patching, not traffic).

What would be really cool is if they bundled the MiTM software and ran it over ADB too (socket forward). Then the whole thing could run in a browser. The problem then is... you can't generate arbitrary outgoing traffic from a website (CORS and all that). So you'd still need to run some other app to work around that...

junon

The authors must know how this looks.

"Run this thing that we don't describe at all on your work phone to hack around apps that your entire paycheck and thus livelihood depend on. Trust us!"

This is dangerous and antithetical to ethical RE work. It's going to get people in trouble, and will only encourage people to stay quiet about issues when it does.

At least explain the motivations, expected findings, reasons for people to use this, and any credentials for why this isn't just completely blatant malware/internal corporate secret exfiltration.

Super bizarre page.

chobeat

The data is not collected centrally by anybody. You need to run your own mitm server. This is a tool to collect your own data as a worker, or to help others do the same. You don't even need to run it on your work phone: you can do it on a test phone reserved for the data collection.
- junon
  
  None of this is explained. No idea what it does. And I work in this industry. The people you're asking to do this presumably do not. That is dangerous and, arguably, unethical.
  - Zurga
    
    Dude, calm down. Click around a bit and look for the info you want.
- Zurga
  
  Cool project! I'll give it a go today.