[liberationtech] An ‘Off-the-Shelf, Skeleton Project’: Experts Analyze the App That Broke Iowa

[Yosem Companys]

Excerpts:
Rahjerdi said that the app contains default React Native metadata and that it
comes off as a "very very off the shelf skeleton project plus add your own code
kind of thing. Honestly, the biggest thing is—I don’t want to throw it under the
bus—but the app was clearly done by someone following a tutorial. It’s similar
to projects I do with my mentees who are learning how to code," Rahjerdi said.
"They started with a starter package and they just added things on top of it. I
get deja vu from my classes because the code looks like someone Googled things
like 'how to add authentication to React Native App' and followed the
instructions," Rahjerdi said.
A team of researchers at Stanford University, including former Facebook chief
security officer Alex Stamos and students Jack Cable, Pierce Lowary, and Alex
Zaheer, said that while analyzing the app, they found potentially concerning
code within it, including hard-coded API keys. Motherboard decompiled the app
and verified the presence of an API key. Stamos' concern was that a hacker could
potentially change or reset data on the servers. Stamos added that he was not
comfortable probing the company's backend without its permission. Shadow
insisted that the app was configured correctly.
An ‘Off-the-Shelf, Skeleton Project’: Experts Analyze the App That Broke Iowa 
Multiple experts analyzed Shadow Inc.’s Iowa caucus app. They found all kinds
of
problems. vice.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ghserv.net/pipermail/lt/attachments/20200208/74be405d/attachment.html>