The New-Phone Blues: A Reminder That Hackers Shouldn’t Settle

For all the convenience and indispensability of having access to the sum total of human knowledge in the palm of your hand, the actual process of acquiring and configuring a smartphone can be an incredibly frustrating experience. Standing in those endless queues at the cell phone store, jumping through the administrative hoops, and staring in sticker shock at a device that’s likely to end its life dunked in a toilet all contribute to the frustration.

But for my money, the real trouble starts once you get past all that stuff and start trying to set up the new phone just right. Sure, most phone manufacturers make it fairly easy to clone your old phone onto the new one, but there are always hiccups. And for something that gets as tightly integrated into the workflows of your daily life as cell phones do, that can be a real bummer. Especially when you find out that your shiny new phone can’t do something you absolutely depend on.

The Problem

A case in point is my experience just this week, when I finally admitted that I needed a “real” cell phone plan, instead of the pay-as-you-go phones my wife and I have been carrying for the better part of a decade. We got what seemed like a hot screaming deal — brand new Pixel 6 phones for free, with a plan that would only cost $10 a month more than what we were currently paying. So we signed on the line and waited for our phones to ship. It was pretty painless, actually.

That should have been my first inkling of things to come. The Pixels did a pretty good job of porting all our apps over from the old phones. Getting things set up just so, with the right ring tones and screen settings, was tedious but straightforward. Where things started to fall apart, though, was with one special, critical app — the one we use to monitor our diabetic daughter’s blood glucose level.

This is the data that I need access to on the new phone.

I have written quite a bit about diabetes before, and about how continuous glucose monitoring (CGM) has been both a godsend and a curse for us as the parents of a child with Type 1 diabetes. But that app, which links us to a cloud service that her CGM system uploads data to, is absolutely essential for us. Our daughter sleeps like a rock; literally nothing wakes her, certainly not the beeping of her CGM when her blood sugar goes dangerously low in the middle of the night. That means we have to have the CGM app running on our phones, so we can get the notification that she’s in trouble and wake her up to give her a snack before severe and potentially deadly hypoglycemia sets in.

And what would you know, the CGM app wouldn’t work on the new Pixels. We did a little digging and found that the vendor has only certified the app as compatible with a very small number of phones, which doesn’t include the Pixel 6. Curiously, neither of our old phones are on the list either, but it worked on both. That’s why I wasn’t too concerned about the Pixels — if it runs on my wife’s ancient Moto G4, it should run on the latest and greatest, right? Wrong.

With an afternoon wasted on the phone with tech support from both the CGM vendor and the phone carrier under my belt, I sat down to dinner with my wife, feeling defeated. We dejectedly considered the possibility that we’d have to roll back the changes to our phone plan, when I had the thought: Wait a minute! You’re supposed to be a hacker. So, get hacking!

The Hack

What I needed was a way to get alerted on the new phone when the CGM app on the old phone sounded an alarm. I realized that my old phone, where the CGM app is running fine right now, would be the centerpiece of my hack. The other asset on my old phone was MacroDroid, a scripting tool that I used to make sure that I wake up if my daughter’s alarms go off more than five times in the middle of the night by sounding a super obnoxious alarm — deep sleeping runs in the family.

Unfortunately, neither of the old phones had a SIM anymore, so sending a text to the new phones via SMS or MMS was off the table. I played around with sending an email, but that never worked very well. Then I stumbled upon ClickSend, a service that specializes in sending bulk SMS messages for marketing purposes — you know, text spam. But, they have an API that lets me compose an HTTP GET request to send a short text to both our phones. And luckily, MacroDroid supports GETs as one of the actions it can perform.

So, with a morning’s hacking, I came up with a workaround that’s good enough for now. If my daughter’s CGM senses a low blood glucose event, the app on my old phone sets a notification that MacroDroid recognizes as a trigger. It then sends a GET request to ClickSend, which instantly posts a text to both our new phones. All I have to do is leave my old phone powered up on my desk, and it’s almost as good as having the native app working on the Pixel.

Next Steps and Lessons Learned

It works! My daughter was out for the day, and the old phone (right) sent an SMS to the new phone when her blood glucose dropped below the limit.

Is it perfect? Far from it. I liked the convenience of having the full CGM app on my phone, and being able to check her number whenever I wanted to. It’s also important to see her chart, to make a judgment call about how to treat her — there’s a big difference between holding steady at 80 mg/dL and 55 mg/dL and falling fast. Not having instant access to that information will take some getting used to.

But my biggest problem with this workaround is that it relies on a long string of dependencies — my old phone working, my WiFi and ISP staying online, no service interruptions in the CGM vendor’s cloud app, and ClickSend being up and running. That’s a lot of things that can break. I’d really like to cut out all those middlemen and build a widget that directly receives the RF signals from my daughter’s CGM and sounds some local alarms if she goes low. I imagine a bedside box that can flash the room lights or activate a bed shaker — or, you know, pelt her with Nerf darts. There’s got to be some kind of upside to diabetes.

Until I can get the time to build something like that, this hack will have to do. Is it an epic hack for the ages? Not at all. What it is is a quick hack that I was able to cobble together with what I had on hand to solve a specific hardware problem now. In my book, that’s a win.

But I think the biggest lesson here is that it’s easy to forget exactly who you are sometimes. I let myself get beaten up by the process, and got to a point where I wasn’t able to see that I had a way around the problem. At the end of the day, hacking is about optimism — it’s about not accepting what the system dishes out and finding another way to a solution. And in times like these, we need all the optimism we can get.

66 thoughts on “The New-Phone Blues: A Reminder That Hackers Shouldn’t Settle

  1. “That’s a lot of things that can break. I’d really like to cut out all those middlemen and build a widget that directly receives the RF signals from my daughter’s CGM and sounds some local alarms if she goes low. ”

    That could be an adventure depending on how proprietary the whole thing is. Especially if they use encryption to lock the whole thing down. Might have to do some middle-man snooping between the app and the device.

    1. Dexcom G4 was thoroughly reverse engineered – https://github.com/mrzign/nRFdrip is one example, which is derived from the original xDrip author’s work

      Dexcom G5/G6 is BLE, and only supports subscribers in two slots, so it’s not feasible to sniff it passively, or add an “additional” receiver beyond phone and official receiver, but the protocol has been REd enough that there is an open source Android app for it – xdrip+ – https://github.com/NightscoutFoundation/xDrip

      1. Depending on the phone, that might drain the battery in under a few hours, plus you’d have to have some sort of keep-alive connection to keep the host phone from dropping the parasite. Keeping hardware this stuff so proprietary is annoying.

  2. My father is an Angry Birds fanatic. I am talking the original angry birds (not the new fancy ones).

    When we all got new phones the original app was so old that it simply would not work on the newest version of Android.

    The solution I found was to run Virtual Android, which is basically like a mini android VW of an older android version right on the current phone (a OnePlus Nord).

    You might want to try some sort of virtualization on your phone if you haven’t already! Maybe you can trick the app into thinking it’s running on an approved device?

  3. Most networks have an email to SMS gateways, e.g. Verizon with 2015551212@vtext.com. You say email from the old phone didn’t work reliably, so maybe you tried that but i thought I’d mention it.
    If I wanted to eliminate as much of third party infra as possible, I’d set up a cloud instance that the old phone would change a flag on and the new phone would poll. With more effort, such instance could replicate the tracking from the old app? Or maybe, in a gross hack, you could just upload screenshots of the old app?

  4. Did you try finding the apk and sideloading the app? Just because you can’t download it from the play store doesn’t mean it won’t work. Especially since it doesn’t sound like the app has any hardware dependencies.

    1. I’ve done this many times with old apps that “aren’t compatible,” and they run just fine. Just need to copy the apk off the old phone via adb pull. Hardest part is identifying the apk file to copy.

      1. That’s the big unfortunate downside of App Bundles (aka Split AKPs) with modern apps these days. You have a main APK for the code, and a separate bundle for the resources appropriate for that device. Things like image assets in a given resolution/DPI, rather that including everything else that won’t be used on that device – aimed at saving bandwidth & storage space. But that bundle on one device isn’t necessarily the resources you need on another device.

        But it’s worth checking APK indexing sites like apkmirror.com for the relevant resource bundles, as well as a helper app so you can actually install them.

    2. Also, even if the app really verified the model on which it was running one (it seems so), you can mod it, or if you root your phone, you can spoof the model name. Still, putting arbitrary hardware restrictions on an app is a shitty move on their part.

    3. Oh, I’m able to download it onto the phone from the Play Store just fine. It’s just that when I go to start it up so I can hook up to my daughter’s account, it barfs on its shoes. I don’t think sideloading is going to help in this case. But thanks anyway.

  5. Probably you already tried this, but gonna ask the same way : have you tried going in the phone´s application menu , finding the cgm app, and manually giving it every permission there, since we don´t know that causes the app not to function ?

  6. “That should have been my first inkling of things to come.” Wait, so your new phone not working they way you expect is because it was easy to switch from pay-as-you-go service to a “real” service? I don’t get it; seems like a non-sequitur…

    1. It’s a snide reference to the observation that when things are going well, there’s probably some kind of catastrophe lurking ahead. What can I say — I’m Irish.

    1. Good idea, but not for a 16-year-old girl. And besides, I’m thinking forward a bit, to when she’s off to college or living in her own place. I want to give her a backup in case she doesn’t have a roomie or someone else to wake her up if she tanks in her sleep. She’s been T1D for eight years now, and we’ve only gotten close to needing to call EMS for a hypoglycemic event once, and that was very recently. I really don’t want that happening to her when she’s alone — unless you’ve seen it, it’s hard to explain just how mentally compromised a person becomes when their brain runs out of glucose.

    2. Indeed! Even with the old phones, there are way to many devices and services in the chain. Wifi, ISP, cloud provider, phones being charged and connected (some redundancy there, but also common-cause failure points), etc.

      I’d try to cut out all devices and software except for the CGM device. You could place a microphone right up to the CGM beeper, so the sensitivity can be very low, pass it through a bandpass filter tuned to the beeper frequency, envelope detector and comparator, that way you get a digital signal when it’s beeping (all hardware, so very reliable if build properly), while there is no audio signal, so no possibility of eavesdropping, and if she understands it, there shouldn’t be a feeling of invasion of privacy.

      You could use the signal to trigger something that will wake her up, with a suitable snack ready on the bedside table; that way, she should be fine even when alone in the future. Basically, just a simple and hardware-only more aggressive alarm.

      Discrete hardware will always be orders or magnitude more reliable than anything software based, especially when it requires internet connections, device updates that you have no control ove, etc. Well-written microcontroller software lies in between those extremes, but for anything remotely safety critical, we always try to avoid even those.

  7. Hey Dan! type 1 diabetic here myself! Wouldn’t you know I had this same problem when I initially got my Pixel 5, the phone wasn’t supported by the app! After doing some digging I found a reddit thread that had a link to a modified APK file you can sideload that should do the trick with my dexcom g6, I’m not exactly sure of the brand of CGM you are using but it helped me. the issue I think with dexcom and the latest android phones had something to do with notifications and this modified app did well to be issue free, it even still worked with my dr’s office.

  8. https://pushover.net/ might be a good choice for your message sending needs. It’s been great for me and isn’t associated with a SMS spammer (your words) who might get their messages blocked at any given time. You can also configure different importance levels with different levels of getting your attention sounds.

    1. Pushover is an excellent service! Super reliable, and has options for critical alerts which ignore the phone’s silent and sleep modes.

      I use it for my doorbell, for monitoring servers, and even for notifications that a long-running terminal command has exited (using ntfy).

      But for something this critical, use two independent notification systems!

    1. No, I don’t. Which is why I mentioned that I’m uncomfortable with the long line of dependencies, and how I want to cut out all the middlemen and build a hardware solution. But I’ve got to start somewhere, and I hope to have this sorted soon with a properly engineered solution that takes into account all the life-safety aspects.

  9. There is a ready made app you might want to checkout called Bridge (Xitlabs). I’m not affiliated, just a happy user. Basically it mirrors notifications from one phone to others (and your PC if you want). I’ve used it for several situations like this.

  10. Could be interesting to see what exactly the problem with the app is. If it just doesn’t show up on the play store you can use an app on the old phone to get an APK from the app and upload it to the new one. If it doesn’t start up at all maybe there’s an error that can be checked.

      1. Sniff traffic with charles webproxy, check if the page exists in waybackmachine if not create a dummy page map locally see if the app continues. Or completely copy the android data folder from the app to the new phone (needs root on both phones tho) it´ll have the “i´ve read the eula” check and bypass the issue.

  11. I would get the apk, decompile it, try to find the function that sees if the device is approved or not, replace everything with “return true”, repack and install.

    1. Better: Ditch Medtronic’s system if that’s what he’s using (He doesn’t specify, and the screenshots don’t look like what I remember for Dexcom’s app but I haven’t used it in a while), switch to Dexcom, use xdrip+

    2. Good idea, I might give it a try. Not optimistic, though — there doesn’t seem to be a “not on this device” check being run in the app. Like I said, I’ve seen it run on phones that are not now and never have been on the approved list. It seems more like it’s barfing on a library that the new phone has that the old ones don’t. And Dexcom’s response is, “If it’s not on the list, it’s not our problem. Buy a new phone.”

  12. (I don’t fully understand the risks, but if I read it correctly, this monitor regularly alerts you to a potentially fatal glucose level, so saves your daughter’s life? If I’ve misunderstood, apologies)

    On one hand, good workaround, but on the other…

    I’m all for hacking solutions together, but not where someone’s life is at stake – especially the life of someone I care about. have you considered the mental health impact it might have for you if it fails when you needed it to work, because of a bug?
    It’s one thing to hack something together when there’s no better option, but if I understand correctly you’re just saving sticking a PAYG sim in the old phone for a few quid a year, and the hassle of carrying/charging two phones… that seems a small price to pay for your daughter.

    FWIW, migrating between iPhones is in my experience completely flawless.
    On the odd occasion that an app isn’t supported on all devices or OSs, it’s very clear which devices it’ll run on.

    1. Good points, but it makes it seem like I’m being penny wise and pound foolish with my daughter’s life. And I am, to some degree, but you needn’t make it seem like these aren’t calculations we all do every day in hundreds of less dramatic ways. Do you let you kids drive in a car that’s more than a couple of years old? Given all the safety features that have come out in recent years, that’s pretty much the same situation as this — you’d be putting the kid at an unacceptable risk by not upgrading to a new car every year or two.

      I know that’s a little confrontational, but my point is we all have to make tradeoffs, and we try to do the best we can with what we’ve got. In my estimation, effecting a quick hack to fill a hole left by unexpected compatibility issues is worth the time and money it saves, which can be directed to fixing other more serious and more immediate threats.

      1. Oh, totally, guilty as charged. We ignore the official advice and have put all 3 of our kids in the same car seats instead of buying new ones for each kid. And the car seats were chosen so we can get 3 across the back of a focus instead of buying a people carrier. And the car is old.
        In my mind, mitigating that is that we don’t clock up many miles; I might feel different if we regularly drove long distances.

        Interestingly, I went through a similar cost/risk analysis a couple of weeks ago getting a dog harness to drive a new puppy home. Ended up just stumping up £40 for a decent one and peace of mind, despite knowing she’ll probably have outgrown it before her next car journey.

        I suppose my concern was that the hacker mindset was driving the decision to the exclusion of a risk assessment.

        And obviously the equation changes if you know it’s a stopgap or you have to balance resources.

        One other thing I would suggest is to have a notification that it’s working correctly. With devices that rarely send a notification, it’s good to know they’re still actually working, and haven’t crashed… (or, as I found with my remote doorbell yesterday, simply don’t have batteries in them 🤦‍♂️)

  13. If it is a dexcom, there is a group providing a “jailbroken” version of the app that works on every android phone…
    And there is Xdrip+, an open source alternative….

    1. I was just going to say this, specifically about xdrip+

      I’ve been a Dexcom user (G4 for a while, and G6 for the past 1-2 years) for years, and have always used xdrip+ and Nightscout, except for a brief misadventure with the G5 and an iPod Touch, which caused me to revert to the G4 until the G6 had been on the market for a while. I HATED the G5, it was absolutely freaking awful, and the broken notification/alarm architecture of iOS was a major part of that. On Android you can have “alarms” that are different from “notifications”, and you can silence notifications WITHOUT silencing alarms. On iOS – you couldn’t silence notifications without silencing alarms which is pretty dangerous if it’s your CGM alarm!

      xdrip+ and Nightscout offer quite a lot in terms of data synchronization and response automation

      I have not used Dexcom’s official mobile apps since that disastrous misadventure with the G5.

  14. This is the Dexcom system isn’t it?

    I’ve had to help troubleshoot it with school nurses a few times. (They have an iPad that lets them monitor multiple students at once).

    Some of the students, parents bought a cheap android phone on cheap prepaid plan. And the only goal is to monitor the device. Not ideal, but it works for an elementary student to remember to just plug it in every night. However, since those phones report back to the monitoring site directly, if they bug out (usually BLE problems, restart bluetooth or the phone) they just disappear for a while. Even the official manual says “if it’s not reporting, wait 30 minutes and try again.” That’s BS, cause blood glucose can change a lot in 30 minutes.

  15. Did you know you can run Anydesk on an Android phone and use it to view/control another Android phone? There may be other apps that allow this as well; Anydesk just happens to be the one I’m familiar with.

  16. Side thinking… what about wetware? I mean, a dog. There are some trained to detect diabetic problems, that is new and not well tested. Yet for a longer time we have been training them to react in cases of need, like: waking up their owners, bringing medikits or pushing alarm buttons (to call ambulance). Detect and react would be even better, of course.

  17. Yep this is a real pain in the butt.

    Dexcom is painfully slow with device support (even on iOS, let alone Android).

    I found this service which lets you spin up your own app based on your device requirements.

    https://www.reddit.com/r/diabetes/comments/qth6tj/oc_build_your_own_dexcom_app_update_base_version/

    It gets around all the stupidness of Dexcom having to “certify” the app code with the authorities.
    With that said, using an app from this service is deemed “unsupported” and “you should not make treatment decisions” etc etc caveat caveat.

    I’ve spun up an app from this service before and it actually works. Very cool stuff.

  18. I get that it is Hackaday and, good hack, I guess.
    Can’t you either add your old phone onto your new plan or just keep your old pay-as-you-go plan? I’m not sure how much that would cost, or what country you are in but the deductible cost of a single ER visit her in good old ‘merica would be way more than either of those two options with benefit of also not causing, you know, medical harm. I also worry about sleeping through a text message and any number of other issues. I suspect your endocrinologist would be less thrilled about the hack than the people reading this blog.
    Also, I’m seeing more and more smarter insulin pumps integrated with continuous blood glucose monitoring devices. Those sure aren’t free either (well, again, in the US) nor, maybe available in other areas but they are pretty fantastic. May be time to speak to doctors about an upgrade.
    Best luck

  19. Maybe this is the moment to attempt building a better alarm for the monitor thing itself? One that’s loud enough so it can not possibly be ignored or slept through. I am sure there’s a way and likely, that is more reliable than two cell phones hopefully talking to each other in just the right way.

  20. This is a truly inspiring and quite epic report, sir. The struggles of an hacker for the life of his/her loved one.
    I can just point and let Saint Ignucious speak for me on how *especially this case*, an open communication protocol or opening the source of that phone app would make your life safer and easier.

  21. Maybe you already did this but, you mentioned BOTH you and your wife have an old phone that will monitor your daughters glucose. For a little redundancy, setup both of the old phones to send an alert to both of your new phones. You will get two alerts with every incident, but abit more piece of mind with your current hack. Excellent post.

  22. Any traffic from an actual implanted medical device stands a good chance of being encrypted for privacy reasons, at least if it was approved after the FDA started making cyber security a point of concern.

    1. It’s the qualification you put forward that’s the crutch of the matter.

      It’s a modern expectation (and often requirement) that medical implants encrypt communicates especially the commands “to” the implant and especially when the implant preforms a life critical function or potentially life critical intervention and especially when non-clinical commands could cause death. “modern expectations”.

      Most implants remain in for life and these expectation are only “modern”.

      Many old implants use plain text communications and don’t even have passwords or where they do they’re easily brute forced. Most of these haven’t been replaced as the risks involved with replacement outweigh the potential benefit.

  23. “At the end of the day, hacking is about optimism — it’s about not accepting what the system dishes out and finding another way to a solution. And in times like these, we need all the optimism we can get.”
    I think that is one of the main reasons I like technology and science, and especially the hacker mindset.

    Most people, even educated like doctors, will tell you to just accept things and more often than not, that nothing can be done.

    Real tinkerers, hackers, and scientists/engineers go beyond that.

    And I love the life encouraging habits of hackers pushing beyond limits until a solution is found. To me that really is the essence of being alive. And I am glad such people exist to remind me of what is possible.

  24. My wife and I both use the Dexcom G6 Follow app on our Google Pixel 6’s without issues and have for about 4 months. I haven’t had a problem getting past the EULA on our devices or anything else.

    What OS version does your Pixel 6 have installed? What version of the follow app do you have installed?

    My guess without knowing more specific information is what you mentioned in a previous reply that it is OS build/version related.

    I like your custom solution. We use the G6 Follow app to monitor our 7 year old. I am Type 1 as well and can understand how a solution for this is completely warranted and desired.

    I’d like to hear back if you get a chance!

    Thank you for sharing,
    Levi

  25. Is it just me, is it this kind of problem of artificially restricted proprietary systems locking people out particularly bad for both diabetes and sleep apnea? I seem to see a disproportionate amount of hacks for both of those.

    And it just seems so wasteful to need to do that. Hacking around created problems that shouldn’t exist, rather than hacking on the original source problems & creating solutions

  26. You really need a better solution. I have my Garage Door wired up with Insteon and send myself an SMS message whenever it opens up. Sometimes they arrive hours late. That would be dangerous for your application.

    In addition I’ve used Verizon VText to send myself a note via email. About half the time the message shows up late, or not at all.

    I find sending email from my phone is problematic too. I have multiple accounts in my gmail app. If I set the app to look at anything other than my gmail account; sent mail just sits in the outbox. The reliability of the phone is another problem. Sometimes it gets hot when I’m not using it. Hmmm.

    I’ld hack an ESP32 with BLE and WiFi to monitor the signal. Create and host a webpage with the graph. And add a Sonalert or hack a smoke detector to wake everyone up. Add a small UPS using a Lithium battery pack, and make everything portable. Surprised that the company making the CGM doesn’t already have this. Then build and use two of them so when one fails the other still works.

    1. If you can monitor the rate of change on a chart, can you predict that you will have a problem in the middle of the night? I would think it would be nice to know that you are going to have a problem at 1 AM when its still 10 PM. Then you would have 3 hours to alleviate the potential problem.

Leave a Reply to Thomas+AndersonCancel reply

Please be kind and respectful to help make the comments section excellent. (Comment Policy)

This site uses Akismet to reduce spam. Learn how your comment data is processed.