alt Hacker NewsI'm about 90% sure that for some inane reason, McDonalds outsources and creates separate apps for each country/region with these disastrous security flaws, except that at HQ they universally demand horrifically counter-productive "anti-root" measures for every locale, to a larger extent than even finance apps.
Why am I so sure about this? I live on the other side of the world, the app is almost certainly an entirely separate codebase from the Polish one the article is about, and yet here too it has the worst anti-root measures of any app by any remotely large company, including finance, healthcare and government apps. Enormous numbers of false positives. Even for those with the most mainstream Android models around.
This will all just come down to one person at McD's HQ who is forcing through these ridiculous ideas and costing their company a bunch of money in the process. No other multinational employs this strategy to any similar degree.
Replies
In news press about similar nonsensical and costly business decisions some of them end up being an exec getting kickbacks or other self dealing
think of it as each country being its own company, contracting out to a local software house which may have different ideas of what security means
[dead]
I’ve worked on apps like this for companies like this. What happens is that their IT department mandates an expensive pen test for suppliers, anti-root requirements are on the pen-tester’s generic checklist, and most companies won’t push back on the pen test results. If you do, they normally fold and admit it’s not required.