I think my company is about to release a mobile app that communicates with a customer's public webserver/database (CRUD) with *zero* authentication. I'm very new to app development, but I KNOW this is going to be a problem if ignored, I'm just not sure how severe it truly is.I've recently joined the only other person working on this app, and just discovered this insane issue that he hasn't addressed for *years* and doesn't think is an issue. PII on thousands of people would be very easy to get if you know how to format the web requests that the app makes - just two parameters are all that's needed: specify that you want to search for someone, and provide their 'person ID', and you will get everything about the person. Getting a person's ID is trivial in the same way. On top of that, there are a dozen other actions you can perform with a person's ID that could definitely impact their life.The .apk has been publicly available for a few months to anyone who manages to find where it's located. Even worse, you don't need the mobile app to make the requests, either - make the request in a browser or use curl, and the customer's webserver would take it, as long as it's formatted correctly - no login or authentication required. From my understanding, figuring out to format this request would be trivial if you can decompile the app.The people in charge want to release the app as a live beta test to at least one site & their webserver anyways in the interest of time, and to worry about authentication + session tokens in a future release. (????)Internally, my ass is covered; I've done my due diligence. But how fucked do you think we are (or will be) if this app/webserver goes live? The level of panic between my colleagues seems to be split. Half aren't bothered by it, but the other half (myself included) are kinda freaking out.I think the odds are low, but not zero. And if it *is* discovered, the consequences are unimaginable.
>>106925219what's the name of the app?
>>106925291ligmapp
ask yourself, will you profit personally from worrying about this shit? if not, just cover your ass and mention it in writing but otherwise lay off. doesn't matter in the scheme of things or your life.
>>106925219Greedy rat investors are like that.I worked for a company that insisted on using some shitty payment processor that had rolled their own security. The payment processor's developer was earnest but green. It may have been his very first programming job. I'm pretty sure my CEO and the payment processor's CEO were fucking.The payment gateway used HTTP, not HTTPS. They had a symmetric key embedded in their payment library that was used to exchange asymmetric public keys. I pointed out that it's supposed to be the other way around and that we should be using HTTPS. I got told off by their "security consultant" who insisted we couldn't use HTTPS without installing a root cert on every customer's device. The CEOs of both companies ended up in Federal prison, not because of any of this, but for drug trafficking.
>>106925219Time to grow some balls. Formally document that this needs to be fixed immediately or you will walk + blow whistle. This is why you need savings so when your company starts doing criminal shit they can't force you to go alone for the ride.
>>106925219>Internally, my ass is covered; I've done my due diligence.then it's not your problem.stop having sympathy for a corporate world that doesn't care about you.
>>106925219Is it publicly traded? If its actually PII, short the stock and file a whistleblower complaint after it goes live.
>>106925356Employees are tools, if tge hammer won't hit the nail you just get a new one that works as intended.
>>106925731>expose their wrongdoing by doing insider trading! anon...
>>106925219how are you posting from jail stayvuhn?
>>106925958Profiting from the downfall of stupid and illicit people is not wrongdoing, it is the patriotic duty of all Americans.
raise the issue and document everything then contact hr/whistleblowers contactthis way your hands will be 100% clean
>>106925219some apps can be unauthenticated but you should still be recording sessions and nothing of real value should be dealt in that app
>>106925219>I think my company is about to release a mobile app that communicates with a customer's public webserver/database (CRUD) with *zero* authenticationit's OK as long as they use a firewall and your IP is static.
>>106927978This. >>106925219OP you're FUCKED if you don't say anything or document anything. Hell, they might make you a fall-guy, back every piece of evidence, every objection, everything up good.
>>106928305>OP you're FUCKED if you don't say anything or document anythingNow, now. Who expects anything from a newb? You're just dooming.
>>106925219>trivial if you can decompile the appthey dont even need to do that, network sniffing will show the requests
>>106925219dont be a tease anon, leak it
If your app doesn't have root detection or cert pinning it's going to get discovered in about 40 minutes. If it has this, then it will get discovered in about 4 days.
