Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Evan Schuman: App testing and sins of omission

Evan Schuman | Jan. 29, 2014
Starbucks released a mobile app that stored passwords in clear text. There's a good chance that a lot of other companies just don't know whether they could find themselves in the same situation.

And you have ample reason to come up with the time and money to do this sort of testing. Failing to do so can lead to embarrassment and customer anger. So start thinking about what you need to check. First, how does your code interact with the mobile OS on the devices it will be available on? What about third-party code, the supposed culprit in the Starbucks situation? It did a few things it wasn't supposed to do, and that caused other parts of the app to do things — like revealing passwords — that no one had apparently considered possible.

But you have to assume that sort of thing is possible, and you have to specifically look for it.

You have to look for things that would be in conflict with industry and government regulations like PCI, HIPAA and Sarbanes-Oxley. You don't want to release an app that reveals payment-card data, restricted healthcare information or sensitive financial data. Until you run the kind of exhaustive tests Wood is talking about, you can't be sure that those things aren't happening.

Wood, who is now working closely with Starbucks as a consultant (unpaid for the moment), has talked with a lot of Starbucks people involved in this, and he has come to his own conclusion about how it happened. "From my review, I could tell that they tested the application and ensured that there were security protections in place. Unfortunately, whether it was a miss or oversight on their part, the application exposed those sensitive user data elements. This is where I reference how the business just doesn't understand the IT or security side of the house. This is the norm in almost every organization, small or large. Having a security architect/engineer brought into the project from the beginning during the planning and initiation phases of the life cycle would ensure that mishaps like these won't occur as much. Conducting a security impact analysis on something like including a third-party service should have been conducted and security testing should have focused specifically on this piece. If it was, it most likely would have caught something like this. Since I wasn't in the room when this decision and others were made, this is only conjecture, however, I believe this was probably the case."

So, no, this isn't really about Starbucks. "This is the norm in almost every organization, small or large." Ask your team today about the level of security testing that they perform for their mobile apps. Not functionality testing, but true security testing. You just might save yourself from a very big headache.


Previous Page  1  2 

Sign up for CIO Asia eNewsletters.