Bucharest taxi – Timelapse

In another blog post I was mentioning a public API to get coordinates of taxi cars in Bucharest (only the cars that run a specific taxi mobile app)

Since I am planning to learn Processing, I made a timelapse of the taxi cars movement on a Saturday night. Here it is:

About 10 real seconds in a frame, 30 FPS.
So a video second represents about 5 minutes of real time.

UPDATE: More timelapses:
Same night, but zoomed out to cover the entire city:

With some color (the taxi companies are color-coded):


The Processing sketch files can be found on my Github repository.

Overriding annoyances – vplay.ro

There is a great site (vplay.ro) that lets you view TV Shows online.

Recently they added a 5 minute wait timer before watching each episode, so that you may want to buy their Premium package:


I looked into it and the timer is only a client-side check. Even the user account is optional. You just have to post




and you get back the (temporary?) URL for the video on a file server.

You can then watch the movie in VLC or even download it.

Security research – Android applications

Android applications are awesome. Especially the ones that talk to a service provider over the network.

I like to reverse engineer communication protocols / APIs between various client applications and their servers, since anything that my phone does, I could technically automate it or have access to the same functionality from my PC.

Today I looked into CleverTaxi, the largest solution to call a cab from your smartphone in Bucharest. I’ve noticed two problems:

– They talk to their server via HTTPS, but they don’t properly validate the certificate. So I could easily sniff all the API calls from my MITM network PC.

– The server API that makes the app work doesn’t require any authentication. For example, the app displays all the cab positions on top of the city map. For that functionality to work, the app makes a GET request to the server and gets a json response with the coordinates of all the cabs connected to the app. That API call is basically public and anyone can get the coordinates of all the cars, along with the company that owns each car. The positions are updated about each second, so I believe one could implement an algorithm that follows the feed of coordinates and tracks each car based on their position. I believe this is a privacy issue for the drivers.

Here I hooked the coordinate feed to Google Maps API (the icons were slightly changing position at 2 second interval):
Screenshot 1Screenshot 2