alt Hacker NewsTrusting clients is probably a security flaw
Comments
If an app tries to detect that I have root or a non-stock OS, I will give it a 1-star review on Google Play 100% of the time. Everyone who has a rooted device should do this.
> [the extensive anti-reverse engineering measures are] more annoying than any financial app I've had, and I have 5 of them on my phone
Ah, this reminds me of the Tuya app.
I've done some ssl unpinning and mitm to see requests going in and out of my phone, it's pretty fun and there's often really nice and easy to use restful APIs underneath. Among them I've also done a couple of banking apps and they weren't particularly defensive either. That's great; as a user I'm empowered by it and like TFA says, it's totally fine from a security standpoint if you just don't trust the client to do anything they shouldn't be able to do. It shouldn't be your form validation that stops me from transferring a trillion dollars, and though I haven't tried, I'm sure that's not the case for those apps. All it does is allow me to get my monthly statements with a for loop rather than waiting for a laggy UI and clicking through each month.
Now, Tuya is a Chinese company offering a bunch of cheap IoT devices like smart power switches and IR motion detectors. You can interact with everything through their app. That app for some reason has spent by far the most resources on anti-RE of any apps I've seen. I already bought your hardware, mate. Please let me use it on my local network. My smart home infrared motion sensors were meant to turn lights on when I enter a room. But they don't feel very smart when I'm standing in the dark for 4 seconds while they check with a server in China. I don't even need a clean API; just let me see what you do, and I'll do something similar, no support or documentation necessary. But they go through extensive measures to prevent you from interacting with the hardware you bought and which is sitting in your home.
This was a while ago, but I think for the motion sensing in particular, I managed to just put them in a subnetwork with blocked internet access, and snooped on the network to catch their DHCP requests when they tried to call home. This would happen every once in a while presumably for settings/update checks, but crucially also when there was motion detected, and I didn't mind a few false positives. So in the end they were very quick, locally functioning, privacy-friendly little devices!
This is like the fifth article I've read about the McDonald's app not having any sort of server-side validation. How do they keep getting this wrong???
I thought not trusting clients was already security 101?
McDonald’s is seriously the strangest company when it comes to the way they push your app at you. They literally ask you if they’ve installed their app as the first question when you show up at a drive-thru. I don’t trust them at all and there is no way I’m installing their stupid app.
Hilariously well written.
"But the problem with checking if the user is a god, is that the user is a god. They can just tell you what you want to hear."
NISUS: Good. Out of the door. Line on the left. One cross each. Next. Crucifixion?
MR. CHEEKY: Ah, no. Freedom.
JAILER: Hmm?
NISUS: What?
MR. CHEEKY: Eh, freedom for me. They said I hadn't done anything, so I could go free and live on an island somewhere.
NISUS: Oh. Oh, well, that's jolly good. Well, off you go, then.
MR. CHEEKY: Naa, I'm only pulling your leg. It's crucifixion, really.
The author earned a discount on his Big Mac.
Ick. That turned my stomach. Sure it's bad for end users that corporate mobile app development is a swamp. In this case it only affects the vendor who lost out on users and reputation. But cavalier, reckless engineering equally causes harm to the client device or end user - if only in wasted time.
Given the audience here, I hope many would agree it's pitiful that developers are wasting their time building this junk. Some poor sap had to make this, probably sighing and shrugging at the end of each line of code.
Unions or professional body membership is becoming more important for programmers. People need to be able to say "I studied what you asked me to make, and refuse to work on this illegal, insecure, depressing cruft, and if you fire me for having professional ethics my lawyers will empty your company bank account." Otherwise technologists become just tools of destruction.
Wasn't there a public transport app a while back that checked ticket prices on the client? Where you could change the API calls to purchase the same tickets for 0 money (EUR? doesn't really matter).
This applies to games too, and the games have even more ridiculous measures such as putting malware into end user kernels to try to compensate for it.
*provably
Just probably? Do we still need articles to point that out in ... 2025?
The main problem is not that mcdonald's app, it's what else has the same team worked on...
If I turn off location, ad tracking, or other permissions on the iOS version the McD's app only shows the breakfast menu and no deals are available. This is on a loyal, active account with 40k reward points. On iOS you do not have the option to root your phone so I just eat there less which is probably a good thing anyway.
This article is dated 2023
Like it was mentioned here [1]: nobody cares.
In reality, since COVID, the coupons in Polish McD are so bad the app is almost useless. And the current version loads so sluggishly.
[flagged]
The real surprise to me here is that grown ass adults are choosing to eat at McDonald's
Does anyone else remember the days of bottle cap instant-wins? I don't want these apps. Remember affordable fast food? I spent $14.74 to wait in drive thru for 15 minutes to eat cold fries and a slice of patty with cardboard bacon and solidified cheese whizz? Can't blame the staff, they aren't seeing any of those profits.
I'm about 90% sure that for some inane reason, McDonalds outsources and creates separate apps for each country/region with these disastrous security flaws, except that at HQ they universally demand horrifically counter-productive "anti-root" measures for every locale, to a larger extent than even finance apps.
Why am I so sure about this? I live on the other side of the world, the app is almost certainly an entirely separate codebase from the Polish one the article is about, and yet here too it has the worst anti-root measures of any app by any remotely large company, including finance, healthcare and government apps. Enormous numbers of false positives. Even for those with the most mainstream Android models around.
This will all just come down to one person at McD's HQ who is forcing through these ridiculous ideas and costing their company a bunch of money in the process. No other multinational employs this strategy to any similar degree.