When Wood first found those mobile-account credentials, the server seemed to accept the password and then sent an email to the developer. Even more troubling, noted Wood: "The file also contains much if not all keys and definitions for defining Web service calls to the back-end data service. I was able to successfully make developer requests to their back end. That account was still active (at the time of our testing) because it executed a function."
According to Wood's diagnosis of the problem, the Wal-Mart team didn't sufficiently do the normal system cleanup before the app was published. "They didn't sanitize the application going from their testing environment to the production environment," Wood said. "It just shows that they didn't do their due diligence."
Another example: In the code, one developer revealed his exact username. During the build of the application's binary, the developer published the internal paths of his developer workstation, which revealed his full user path on the machine. A quick Google search revealed a ton of information about that user.
That is the kind of information that is solid gold to a cyberthief, especially one who specializes in social engineering. A fake email account could be created, for example, with which the cyberthief could send out emails purportedly from the developer handling that project. A cyberthief who sent such emails to other members of the team could ask for a password to be changed or for a link to be clicked on. "If so, you now have back-door access to that developer's machine and you might be able to inject malicious code into the application itself," Wood said.
But the security holes that affect users rather than Wal-Mart also could lead to serious consequences. One possibility is corporate espionage. A corporate spy who is targeting a particular company might start hanging out at bars, gyms, coffee shops and other places where employees of that company tend to hang out. He then patiently observes and waits until an opportunity arises to steal a phone. The spy might then access information directly — emails anyone? — or mine the phone for blackmail fodder — prescriptions recorded on the Walgreens app, for example, or products scanned and stored on Wal-Mart's app.
How did we do our testing? The code was discovered by hooking into the systems APIs (hooking C functions and Objective-C methods, also called "Profiling") during runtime and running a tracer, logging API calls made by the Wal-Mart app, Wood said. This logs the class, method name, arguments, and return value that the app calls. "The data the tracer logs is stored in a SQLite DB, which I then pull from the device and run an analyzer on," he said.
Sign up for MIS Asia eNewsletters.