With Wal-Mart's iOS app, password information was at risk in the encrypted iTunes backup — something that Wal-Mart just now fixed — as well as if a user was registering while using public Wi-Fi. In the Wi-Fi situation, Wal-Mart relied too heavily on HTTPS doing the protection.
Why has it been so easy to find mobile apps with security problems? Not enough testing. Now, if you have worked on mobile-app development for a large company, you're probably going to tell me that you do lots of pre-launch app testing. I don't doubt you, but I'm willing to bet that it's overwhelmingly functionality testing, not security testing. I'm confident of this because Wood has been able to find all manner of glitches with just a few hours of testing. Why can't your security people do the same? Wal-Mart maintains that it does indeed do lots of security testing, but when we drilled down into the nature of that testing, it seemed likely that much of it was running automated scripts. Wood's testing was done by someone looking at the code and spotting problems.
Wal-Mart said that it runs "a set of automated systems that run and try and find things" as well as using various third parties, including Veracode and White Hat Security. But Wood observed that those companies offer both automated script testing and human testing, which costs more. Given what he found, he speculates that Wal-Mart probably used only automated scripts. Wal-Mart wouldn't clarify which services it uses from security vendors.
"We do extensive security testing, and we don't disclose how we test security, for obvious reasons," said Wal-Mart spokesperson Dan Toporek.
Toporek also said that "our iPhone app has and continues to use the iOS default or higher levels of security. We appreciate the feedback, as we're always looking to drive the highest levels of security to prevent even these types of unusual scenarios. We are continually enhancing the app and are fixing the issue that was storing geolocation information."
Exposing passwords and geolocation details is embarrassing for a company, and no business wants angry customers posting negative remarks about it on social media. So most companies are eager to fix those problems, though it seems to happen after the fact more often than not. Wal-Mart's app, though, exposes server access and internal codes, and that is a direct problem for the company itself.
The app's coding reveals, in plain text, the credentials for an internal development server at Wal-Mart. Given that those credentials have now been deactivated, I can tell you that the credentials themselves are enough to make any security specialist cringe: username "Mobile"; password "1111." (Really, Wal-Mart? Password 1111? Was 1234 already being used for your payroll system?) Wood also found a file called DeveloperCredentials.plist. (No "security through obscurity" in that filename.) The password there? "Password=password" and "email@example.com." That account has also now been disabled.
Sign up for CIO Asia eNewsletters.