Journal
May 24, 2025 - 15 MIN READ
‘Automatic Report 1': Case Study

‘Automatic Report 1': Case Study

An inside look at how I turned a tedious daily military task into a 70K‑download iOS app—all while still in uniform—covering the scrappy hacks, technical hurdles, and lessons learned along the way.

Liam Mizrahi

Liam Mizrahi


In 2020, I was a conscript in the Israeli army. Like thousands of other soldiers, I had to report my attendance every morning using the new “Doh 1” mobile system. But unlike everyone else, I wasn't going to do it manually.

So I reverse-engineered the app, built a working automation system, and ended up launching a business—an app used by over 70,000 soldiers, entirely off the books. It made life easier for tens of thousands of people and gave me the backend engineering experience that would launch my career.

This is how it happened.


Phase 1: The Problem No One Solved

In mid-2020, the IDF introduced a new digital version of Doh 1, the daily attendance form. From now on, every soldier had to log in manually via mobile and report their location before 08:00. No exceptions.

If you forgot—whether you were sick, on leave, or just exhausted after a night mission—you could lose a vacation day, get a negative mark, or worse.

The process was fragile, stressful, and easy to forget. You could even get punished for a technical glitch or forgetting to tap a button. For me, the tipping point came during a COVID quarantine, when I'd go to sleep at 5 a.m. and force myself up at 8 a.m. just to click a meaningless button: “Still in isolation.”

That's when I realized: this should be automated. And maybe I could do it.


Phase 2: Reverse Engineering the System

I only had an iPhone. I couldn't run Wireshark or packet sniffers easily, but I found an app called HTTP Catcher—a VPN-based tool that could log outbound traffic.

I launched the Doh 1 app, reported my status, and checked the logs. That's when I noticed something crucial:

  • The app wasn't native. It was just a remote web application inside a WebView.
  • Authentication was handled via a session cookie—a single token, valid for over a year.
  • The request itself was simple: a POST to an API endpoint with some JSON, authenticated only by that cookie.

It felt absurd: the app looked official and secure but was really just a thin shell over a public API.

I captured the cookie, wrote a PHP script that sent the same POST request, and ran it manually. It worked.
I'd just automated Doh 1.


Phase 3: From Script to App

The initial version ran off a small VPS using a basic cron job. It worked fine for one person. But I wanted to help others—and avoid needing a laptop.

So I built an iOS app in Swift, using WKWebView to let users log into the real army site. When they reached the main screen, I'd intercept the cookies via WKHTTPCookieStore, extract the right one by name, and send it securely to my backend.

The backend (written first in raw PHP, then migrated to Laravel) stored the cookie using RSA encryption, allowing me to decrypt it only at report time.

Every morning, a cron job ran:

  • Pulled active users who had auto-reporting enabled.
  • Decrypted their cookie.
  • Reported to the IDF API with a crafted POST request.
  • Logged status updates for each attempt.

The mobile UX was minimal: log in once, turn on auto-mode, and that was it. I didn't even need users to input their name—the IDF API gave me that too, so I showed it in the app for peace of mind.


Phase 4: Scaling Chaos

Once a few soldiers tried it and saw it worked, word spread. Fast.

What started with a few test users became hundreds, then thousands. By the time I had over 10,000 active users, the backend started cracking.

Some key problems:

  • The IDF servers were unreliable—frequent 500 errors, downtime, random bans.
  • I had no queue—just a cron job that fired every minute and tried to report everyone.
  • If one report failed, it might retry too quickly or overwrite a working user.

So I started building out a state machine manually:

  • Each user had a status field: idle, pending, reported, or failed.
  • I limited each cron execution to 12 users per iteration.
  • Added a retry queue, and deferred failed users to future rounds.
  • Added a dispatcher that plans the reporting once for that day.

I didn't know what queues, dispatchers, or rate limiters were at the time. But I recreated them by instinct—batching requests, backoff retries, and even collision protection when two crons overlapped.

Eventually, I could support thousands of users daily, on a single VPS, using a queue-like state system I had no name for.


Phase 5: From Hack to Business

One day, my commander—who was open-minded and actually loved the app. He urged me:

“You have to put ads on this thing.”

So I did.

At first, I added AdMob banners. Within a few weeks, I was making more than my monthly military salary—around ₪800–₪1000/month, just from soldiers using a tool I'd built in my spare time.

But the bigger leap came when I realized the demand for advanced features:

  • Schedule reports in advance
  • Remove ads
  • Add special notes (some officers required this)
  • Change report times
  • Report for career officers (not just conscripts)

Crowdfunding the Future

By late 2020, it was clear the app had outgrown “just a side project.” I was maintaining the backend, developing the iOS app, handling support, and paying out of pocket for infrastructure. I wasn't trying to get rich—but the time and effort were mounting.

I built everything using a 2018 MacBook Air with an Intel chip and 8GB of RAM. It struggled with Swift compile times, crashed often, and made backend tasks painfully slow. I realized that in order to sustain the project, I needed to invest in better hardware—and find a way to fund development properly.

That's when I launched a crowdfunding campaign on Headstart—Israel's version of Kickstarter.

I framed it not as a commercial product, but as a community utility:

This is a tool built by a soldier, for soldiers. It's helped thousands already, and I want to keep improving it—with your help.

I promised that the core features would always remain free and open, but supporters would receive premium capabilities once I had the tools to build them:

  • Week-ahead scheduling
  • Reporting with notes
  • Report time customization
  • Priority access to new features
  • Lifetime premium status

The campaign gained traction quickly—461 people backed it, and we raised ₪15,830, surpassing the goal at 113% funding. It took a few weeks, not days—but the trust it showed was overwhelming.

With the money, I finally purchased a MacBook Pro M1, which dramatically improved my development velocity. Within weeks, I began rolling out the premium features supporters had been promised—and more.

This campaign didn't just fund a laptop. It validated the entire project.


App Look Timeline

Phase 6: The Golden Days

Armed with a better dev setup, I began rolling out major updates.

Premium Features Expanded

After the crowdfunding campaign, I rolled out a set of premium features for supporters—focused on privacy, flexibility, and giving soldiers more control:

  • Week-ahead scheduling — plan and automate your status for the entire week in advance
  • Officer-specific statuses — support for ranks and roles that required different reporting formats (e.g., קצין, נגד)
  • Custom report time — avoid the suspicious 05:00 default by choosing your own report hour
  • Add notes to reports — meet the requirement of commanders who expected comments, just like in the official app
  • Ad-free experience — clean, uninterrupted use for paying users

These features didn't replace the basic functionality—they enhanced it. The core remained free and accessible to everyone, while the premium tier helped sustain the app's future and respected the reality of serving soldiers.

Real Revenue, Real Operations

I opened a sole proprietorship, integrated PayPlus and MAX as payment gateways, and used Morning for issuing automated receipts—before I ever imagined I'd work there.

I also built a custom admin panel (in Laravel Blade) to:

  • Monitor system health
  • Track reporting failures
  • Send support messages
  • Retry user submissions manually if needed

As support demand grew, I built a custom support system on top of WhatsApp Web JS—essentially a self-made version of Intercom.

Soldiers could contact the app through WhatsApp, where I integrated:

  • Smart routing based on message intent (support, settings, upgrades)
  • Tools to update account preferences, change report status or time, and toggle premium features
  • A backend chat panel where I could personally respond to users in real-time
  • Deep integration with the platform's state—letting me view reporting logs, retry failed reports, or flag issues instantly

It wasn't just a help desk—it was a full support ops layer, seamlessly woven into the app experience. And it let me manage a high volume of daily users without ever needing a team.

Top Trends on App Store


Phase 7: The Shutdown

In 2022, the IDF pushed a major infrastructure update.

  1. They finally implemented week-ahead scheduling—a feature I had launched over a year earlier.
  2. They moved to Microsoft Identity Provider (IDP), replacing cookie-based login with OAuth2.

This new flow required redirect URLs, rotating tokens, and full browser auth—not something you could spoof inside a WebView.

That day, Doh 1 Automatic quietly stopped working.

There was no public complaint, no takedown. Just a subtle shift in the API—one that closed the door on every method I'd used to automate the system.

It had worked until the official solution caught up. And it had done it better, earlier, and with zero institutional support.


Phase 8: What It Gave Me

Even though the app died, it changed my life.

I learned more building Doh 1 Automatic than from any course:

  • How to build under constraints (one cron, no queueing library).
  • How to secure sensitive data (RSA + rotation).
  • How to design for real-world flakiness (backoffs, retries, state machines).
  • How to talk to users, price a product, and scale from hack to business.

It also taught me how to run something end-to-end: infrastructure, billing, support, legal, Apple App Store compliance—all while serving in the IDF.

As a former customer of Morning, I already understood the product, the business mindset behind it, and the kind of challenges real users face. That perspective helped me stand out—and today, I work at Morning as a backend developer on the finance team.

I now manage complex integrations with:

  • Payment gateways
  • Israeli banks (via Open Banking APIs)
  • The Israeli Tax Authority
  • And various other third-party providers critical to financial infrastructure

Running Doh 1 Automatic gave me a foundation in product thinking, secure architecture, and reliability—all of which I now use every day at scale.


Phase 9: Where Is It Now?

Like all great systems, Doh 1 Automatic had a mission—and it completed it.

In its final days, it was still reporting automatically for thousands of users each morning, fully hands-off.
Then the API changed, and it vanished.

But the journey didn't end.

The lessons I learned scaling it—under constraints, with no team, no funding, and no institutional backing—shaped how I think about systems, products, and user trust.

From a personal pain point to a community tool to a real business, Doh 1 Automatic was the project that taught me everything.

Final Thoughts

I didn't set out to build a product. I just wanted to sleep in.

But in doing so, I found a problem nobody had solved, reverse-engineered a government system, and ended up launching a real-world SaaS that impacted tens of thousands.

The product's dead. But the skills—and the story—are very much alive.

Copyright © 2025