6 loyal blog readers: 2 lawyers, 2 friends, and 2 ex-colleagues
On the 1st of December 2025, I wrote a blog post about an app called MyTvOnline3 and how I noticed that its copy protection security hadn’t been broken before. It sparked my curiosity; had they actually managed to make a copy-proof application? So I accepted the challenge, and famously said: curiosity killed the cat.
However, it turns out the cat can get smoked out and be threatened with a lawsuit when it tries to be curious and learn...
First i want to make it clear that the post is offline, and my statement: "I will disable public access to the disputed post before 10 April 2026 in order to avoid escalation," ... "I do so without admitting that the post is unlawful. I continue to disagree with the complainant’s legal characterization of the article, but I do not intend to escalate this matter further at this time through external legal counsel."
Still stands.
full statement will be included later in this post
Why?
Good question; it’s simple: nearly everything I do is to learn, to become better at what I do. Especially in IT, where you snooze, you lose the time to get up to the knowledge. And then there is security. I’m not a security specialist, but I try to be security-aware, like I think everyone in IT should be. Because like it or not, we’re going to see many more, and much wider attacks due to the expanding use of LLMs.
Where attack automation used to be “static” and “conventional-assistance,” that’s no longer the case. Even worse, amazingly good cybercriminals are still amazingly good. Good cybercriminals are getting better, and average ones are becoming good. And you know what? Knowledgeless cybercriminals are becoming average with the use of AI. So yeah, this trend will keep rising and we haven’t even tasted the beginning of it. And organizations, companies and other generally good guys aren't getting up to speed to keep the cat and mouse game balanced.
So there you have my "onderbouwing", as we say. But what does that have to do with this disputed post? Not this specifically, to be honest.
But any security that hasn't been broken is a security design i want to know about.
The disputed post
I named the post “APK-cracking: TV Apps on unsupported Android TV devices,” after first containing the actual app name, which makes it sound like I’m some kind of pirate sharing cracked content, right? Yeah… no. That’s what we call clickbait. with the hope that more than three people actually click on my blog post on LinkedIn to read it.
But I had some strict rules for myself when writing the post, with the core being that nothing I shared could be used by readers to actually break the security constraints/design like I did. Because yes spoiler alert the security was nothing like I expected it to be. So the whole project was a complete “domper,” with the lawsuit threat the cherry on top.
I started the post with the intro:
and an immediate disclaimer:
You’ll probably understand that I’ll be sharing snippets from the disputed post, because the content... You might've guessed it, is disputed.
The first part contained a small summary of how one gets software from A to B to work on it, and that it’s a well-documented thing on the internet. So I wasn’t going to go into detail.
The second part was some observations about the design, and the first type of security used by many hardware manufacturers, including Aloys, using Android TV to lock system apps, yada yada. Won't go into detail again, as even describing the type, which gives nothing away about how to actually bypass it, and is fully allowed, apparently makes these guys cry.
Same goes for saying it’s not smart to only rely on local single variables for any protective/DRM design but here I am again. And hey, everyone who doesn’t (know?/want to do?) better does it that way too, so… can’t really blame them. It’s not like i‘m perfect…
In the third part, I wrote about the well-known design-types where used to better secure it to the hardware, without actually giving them away. And even as I explained it, I still believe 85% of tech-savvy programmers wouldn’t be able to figure out what I was exactly talking about. And I ended it with a closer:
So it wasn't even a complete write-up/analysis
The fourth part was about cleaning things up and catching everything that wasn’t usable on non-Aloys hardware.
For that, I literally wrote code that I didn’t share, and don’t expect any sane person to actually rewrite the same. Ever heard of Android ContentProvider framework? Nothing specific, just curious. Let me continue:
The last big hurdle was literally one of the most common ways of terminating runtime used in most "average" DRM designs, I’ll save Aloys the shame by not explaining that one. As i also didn't disclose in the original post.
and then:
The video was the showcase of the answer to my question;
nope, they had an average protective design.
and i ended my post with:
and a funny picture from reddit:
So before i go to the part where ALOYS started threatening, let's first talk about who they are
Who's ALOYS?
ALOYS is the parent company of Formuler OTT devices with the included MyTVOnline app. You know, the ones used by 97% of people for watching illegal IPTV content. And, in hindsight, one of the most hypocritical companies I’ve encountered.
Their hardware is nice, their first-party MyTvOnline app too. They support Widevine (newer devices) for most legal streaming apps, but Netflix won’t come near them, it seems. And I bet they’ve tried to get certified. But it’s not their core interest to have a streaming device for legal services. Their market is the illegal IPTV streaming one.
Why would I say that? Well, MyTVOnline supports Xtream API codes, and in Europe there are no legal TV providers that use this protocol/format. One could even argue there isn’t a service provider worldwide that offers legal proper licensed IPTV over the Xtream API. As it's insecure. The only legitimate use I can think of is hobby/internal TV networks, like hotels and campuses, etc. But even then there are better alternativcs.
But hey, fair game; they play the "It's just the player, not the provider" card.
DMCA?
You might've seen the YouTube embedded video in a screenshot above that got copyright claimed. The one showcasing the app running on a non-formuler device. In my eyes, and arguably, that was an false DMCA claim. The only arguments that could be made is that it contained their logo's and app animations & other assets. But then again, if i made the video on a formuler device praising and showcasing their app then they would've left it alone. However i know how google/YouTube handles these DMCA claims and i didn’t even bother to make a real appeal. I just compressed and placed the video directly in my blog.
However i was curious to the reasoning, as it wasn’t stated in the YouTube portal. You had to send an email to the legal department.
So i did:
Screenshot is in Dutch, sorry; but as stated, the used content information would only be given on request. So I sent the email:
But the hilarious thing was, that the email they gave me to get more details took it as an appeal:
So then i get this goofy mail back saying my appeal isn't clear/complete
But i only asked what the reason for deletion was, however i kept getting Dutch replies so i wrote back that its a weird response seeing i didn't want to make an appeal but just wanted to know what the reason for deletion was.
translation: "This is a very strange response, where in my previous email did I request an appeal? I requested information about the reason for the claim. This is not listed in the dashboard, and it literally states that I can request this by emailing copyright@youtube.com.
The question that I formulated in English, “What was the reason for the deletion, it doesn’t state it.” should never have been interpreted as a request for an appeal. It is also very concerning that this has happened."
and then 2 weeks later i asked if i was going to get an answer:
To this day no response, not surprising reading about how Google/ YouTube handle these things. They do a "too small to bother" thing.
And i didn't really care to be honest, i had it on my blogpost anyway. But why would it stop there?
DMCA pt2
Next came the DMCA notice to the server provider of this blog, Hetzner. Hetzner has a system where, if they receive an abuse report for your server/IP, they ask you for a statement. The DMCA part was easy; we’re in the EU, we don’t have DMCA. We have our own copyright laws.
So my statement here was that we have no DMCA in the EU, which made place for the second notice:
Here I argued that I was within my rights. I’m no lawyer, but when you legally acquire a program, you’re allowed to perform observation, study, and testing of that computer program. And i wasnt sharing any APK, binary, patch, source code, key, script or circumvention tool, and it did not disclose the exact methods used. It was merely a software study and a list of generalized security observations, not the provision of a circumvention product or executable means of circumvention.
But then 3 months later...
We have received a lawyer abuse report
nice
I basically received an email from Hetzner that was a full-on IP lawyer investigation, from a European law firm, inc authorized/signed power of attorney.
Nice power of wasting funds, lets read the document. Not sure who Sepp Jeremiha is though. But ok.
I will be grabbing snippets as it contains the disputed contents
Exhibit 3 shows a couple of screenshots that they sell Formuler devices in german webshops/stores. Okay?
With more screenshots of their website and German tech stores
Considered the best media viewing client on the market huh?
You get the picture. I don't remember highlighting in my post that the app was free of charge, but then again, i don't remember my name being spelled that way either.
Now the best part:
I present you Exhibit 8:
What a cool looking LinkedIn profile, curious what this Sepp guy is up to.
Having a link in the header of my personal, private website to my company is somehow relevant? That’s like being in a park in your free time, wearing company-issued clothing ~ a Christmas sweater with the company logo on it ~ and getting into a fight. Does that suddenly make it about the company? And is that relevant to the context of the fight?
Or take it way further: if I work at a fast-food restaurant and commit a crime while wearing my company-issued clothes in my own free time, is that then really relevant, the company on the clothing? It’s bad PR, can’t argue there but not more then that.
I don’t see the need for connection.
To me this looks like fluff filler, as there was nothing further to add.
i wish i was able to dissect this part here, but that would be like reuploading the disputed post itself
But i can share some snippets:
How would one observe the inner design without cracking the egg? I could've taken the route to write a “system-emulator“ to trick the app into running. But that would just be to get an result.
The more i read the less i feel like anyone actually read the blogpost, i mean the video was a demo of the app running. And yet they call it an explanatory video. And detailed instructions?
Not much more I can share or add. Honestly, the money would’ve been better spent investing in a more secure DRM design than this. Their time wasted. Womp Womp.
And my final statement:
One of my regrets is saving money by moving part of my infrastructure from the Netherlands to Germany (Hetzner). Which made it more complex for me to legally challenge. I will be reevaluating this decision. But to Hetzner‘s credit; they took my statement seriously and didn’t take unnecessary action. Even with my company being a small customer. And i respect their position like any other for profit company would take; prevent unnecessary legal costs.
Proost,