Why am I so sure about this? I live on the other side of the world, the app is almost certainly an entirely separate codebase from the Polish one the article is about, and yet here too it has the worst anti-root measures of any app by any remotely large company, including finance, healthcare and government apps. Enormous numbers of false positives. Even for those with the most mainstream Android models around.
This will all just come down to one person at McD's HQ who is forcing through these ridiculous ideas and costing their company a bunch of money in the process. No other multinational employs this strategy to any similar degree.
But if someone is seriously thinking client-side security works, yeah the app deserves your review - and probably some reversing, just for fun.
I am reasonably confident that some almost-AOSP aftermarket ROM is a less weird operating environment than the weird hacked-up things official vendors are shipping.
Ah, this reminds me of the Tuya app.
I've done some ssl unpinning and mitm to see requests going in and out of my phone, it's pretty fun and there's often really nice and easy to use restful APIs underneath. Among them I've also done a couple of banking apps and they weren't particularly defensive either. That's great; as a user I'm empowered by it and like TFA says, it's totally fine from a security standpoint if you just don't trust the client to do anything they shouldn't be able to do. It shouldn't be your form validation that stops me from transferring a trillion dollars, and though I haven't tried, I'm sure that's not the case for those apps. All it does is allow me to get my monthly statements with a for loop rather than waiting for a laggy UI and clicking through each month.
Now, Tuya is a Chinese company offering a bunch of cheap IoT devices like smart power switches and IR motion detectors. You can interact with everything through their app. That app for some reason has spent by far the most resources on anti-RE of any apps I've seen. I already bought your hardware, mate. Please let me use it on my local network. My smart home infrared motion sensors were meant to turn lights on when I enter a room. But they don't feel very smart when I'm standing in the dark for 4 seconds while they check with a server in China. I don't even need a clean API; just let me see what you do, and I'll do something similar, no support or documentation necessary. But they go through extensive measures to prevent you from interacting with the hardware you bought and which is sitting in your home.
This was a while ago, but I think for the motion sensing in particular, I managed to just put them in a subnetwork with blocked internet access, and snooped on the network to catch their DHCP requests when they tried to call home. This would happen every once in a while presumably for settings/update checks, but crucially also when there was motion detected, and I didn't mind a few false positives. So in the end they were very quick, locally functioning, privacy-friendly little devices!
As far as trends in IoT goes, I feel like Tuya is mostly positive. I bought some cheap smart plugs at Costco and the default app was worthless. When I learned that they were Tuya-compatible, I managed to get a half-decent (relative to cost) experience out of them. It seems to me that the alternative are a bunch of unmaintained one-off apps for each fly-by-night manufacturer. With a standard protocol and app I think old devices will live a bit longer at least.
Perfect (better) world it's all open source, but c'est la vie.
Nah, there are options!
HomeAssistant, zigbee2mqtt, ZHA,deCONZ.
The Fingerbot also seems to operate over zigbee? Why would you need a developer account in the first place? And why would anyone but Tuya themselves want to hook into their cloud?
The HSBC UK app will not run if you have any apps installed from outside play store. I cannot log into the website without the app. Luckily all I have with them is a lightly used credit card with a low limit so I have just stopped using it and rely on paper statement.
I find it disturbing that any app can examine your device in this much detail.
When I did a tiny bit of Android development a few years ago, I was astonished how free the app I made was to just examine the file system. I assumed it would be like the web, where each website can have its own little SQLite database and cookie store equivalent, but that's it. I don't know if it's changed, or if it was just because I was in a "dev mode" somehow, but that was very surprising.
I can't include podcasts in the backup I do via rsync via termux anymore, unless I switch to an app that uses a shared storage area instead, as termux can not longer read app directories only its own and shared storage. You have to rely on each app that used app-local storage to have its own backup method. Not that I really care from the podcast PoV, hence I've done nothing about it, but it is a sign of apps being better sandboxed at the filesystem level than they used to be.
macOS for one has been asking to allow access to specific folders. Other OSs are possibly starting to do the same, but it used to be a free-for-all.
i wonder what caused the change
as others have said, you can ring them up and get a physical security key, it works for the website
In many countries, if the consumer gets defrauded, the bank foots the bill.
I don't think the problem here is consumers getting defrauded by having an insecure rooted device. It's fraudsters using the mobile app APIs for nefarious purposes, and the best way to prevent that is to use SafetyNet and other similar mechanisms.
It's not the best way to prevent it. It's the easiest way for the bank to avoid liability.
The ugly truth of cybersecurity is that, in the real world, most of it is an exercise in shifting liability around and diffusing it. Making systems actually secure is not necessary.
I have at least a dozen apps installed on my phone that are not from the Play Store - a mixture of other stores (Samsung/Epic) and apps that are not from any store but I've compiled myself, or downloaded APKs directly from the developer website.
This isn't true.
Never trust the client. Anything the client has access to, whether "protected" by Play Integrity or not, should be considered compromised.
Maybe some apps with DRM media playback do this kind of check too, yes. Haven’t used Android for many years now.
Hopefully iOS stays the way it is where apps don’t get so much info about other apps on device. I prefer it that way.
And the idea that this kind of check can't be defeated.
That's not enough because the owner of the phone can just twiddle that memory between you calling the API and using the value. You fully own the code that runs on your devices, and if you don't like it then you can just choose to run different code. The GPIDRM hinders some users who want to fully own their device and also use your app, but it doesn't actually protect your app from being executed in other environments (similarly with any other modification to how the GPIDRM might function, short of it physically decrypting the code/data you intend to run and only ever running in environments that would somehow prevent people from backing up those decrypted bytes -- or, similarly, physically decrypting data unique to a particular instance of using the app and not useful for any reason when somebody else runs the app).
When, then, does GPIDRM make sense to use?
_Arguably_ the thing that banks do isn't terrible [1]. Their servers are authenticated, so it's not a security thing. They're just managing risk (people with rooted phones might be more likely to have root-level malware for example). If somebody has a rootkit leaking banking details and the attacker is also willing to pay $10 to borrow their phone number for the day, the bank account will be fully compromised. When that happens, the bank is on the hook some fraction of the time. The bank server trusts requests to either come from a real user or a user with stolen credentials, and they're trying to reduce the chance of the latter (but not eliminate, even from rooted Android phones).
How does McDonald's differ? There are no server-side checks, no passwords, no logins, no crypto handshakes, no anything. If you send a request pinky promising you're a trusted client then you'll get your free food. The implementation was so bad that the TFA demonstrated compromising it on a phone which _correctly_ passed the GPIDRM check.
[0] No such technique can be perfect. At its core, it relies on a secure hardware enclave. Physical keys are always reversible with enough time and effort, in time _linear_ in the key length. The goal is just to create a constant factor big enough that almost nobody with expensive enough tools to dismantle the chip and go probing is willing to go through the effort (or, ideally, not able to with the current generation of technology, so that rotating keys every few years can keep up with reversing efforts).
[1] I'd be shocked if people with rooted Android phones were actually more likely to be victims of phishing/malware/....
I can 100% guarantee that’s what happened here.
To you, you mean, right?
Infighting, KPIs, comp packages, weird ass games trying to build something new or try to learn is actually looked down upon. Very medieval with hunt vibes
I've had my SSN stolen learned multiple people are using it lol so I doubt banking info stolen from Mickey Dees would make a difference could something worse be achieved
I haven't eaten food from McDonalds in years and have never even considered installing their app, but if inspecting and reverse-engineering Android apps was my thing, theirs would have almost certainly caught my interest.
Honestly, it’s amazing it’s not worse!
secure enclaves, secure virtualization, trusted execution environment, trusted platform, confidential computing, protected execution, LaGrande, protected launch, hardware attestation, ..
Of course it is. Always has been.
The security field is riddled with complete nonsense. Much of it even couched in terms of "best practices". It's the perfect field for people with zero specific knowledge or experience to be trusted with management or engineering - since it doesn't matter until it did matter, at which point a mild non-apology is usually sufficient.
If enough customers order with the app, the drive through line moves quicker. Probably still not as fast as when they used to premake food.
"But the problem with checking if the user is a god, is that the user is a god. They can just tell you what you want to hear."
NISUS: Good. Out of the door. Line on the left. One cross each. Next. Crucifixion?
MR. CHEEKY: Ah, no. Freedom.
JAILER: Hmm?
NISUS: What?
MR. CHEEKY: Eh, freedom for me. They said I hadn't done anything, so I could go free and live on an island somewhere.
NISUS: Oh. Oh, well, that's jolly good. Well, off you go, then.
MR. CHEEKY: Naa, I'm only pulling your leg. It's crucifixion, really.
The author earned a discount on his Big Mac.
If you can get a hot meal for 5 dollars idk as a poor person gotta rep the app even if its badly implemented
Given the audience here, I hope many would agree it's pitiful that developers are wasting their time building this junk. Some poor sap had to make this, probably sighing and shrugging at the end of each line of code.
Unions or professional body membership is becoming more important for programmers. People need to be able to say "I studied what you asked me to make, and refuse to work on this illegal, insecure, depressing cruft, and if you fire me for having professional ethics my lawyers will empty your company bank account." Otherwise technologists become just tools of destruction.
This only works if everyone or the vast majority join unions. Otherwise, those who join will get penalised with lower offers or no offers at all.
This is a common objection but I think it's wrong. Putting aside the huge differences between US (at will) and global employment law, the idea of a fluid, frictionless workforce is quite the myth. Keeping wages down and conditions poor very much relies on the propagation of that myth that ethics will work against you. so please be careful not to do yourself a disservice (if indeed you are a developer).
In reality quite small minorities have a disproportionate impact on change. Some accounts claim it's as low as three percent. I'm sceptical of that, but the fact remains; if only a handful of people object but with severe consequences by the force of law, employers will play it safe. I find it unlikely that any employers would survive long if it transpired they were disfavouring members of IEEE, ACM, IET or whatever.
I highly doubt most employers even know what those organisations are. Taking it even further, there is probably even a significant amount of devs that are unaware of them as well. I don't think devs have this much power. Unless you are a tech company, devs are likely highly replaceable and in my opinion the trend goes in that direction. Obviously, this excludes skilled FAANG devs
I think this might be an interesting one to consider, other than the "depressing" bit of course. The problem is, I think, if you have the accreditation and you develop an insecure application, do you lose the accreditation? What's the tradeoff?
In my experience it’s a symbolic political power that management has effective ways of limiting.
Also I think you mistook my comment for something about financial success. I am questioning how much power a lawyer has to invoke moral authority (unless they own the firm).
In 2025? Haven't you noticed the massive layoffs by the big companies. Check r/cscareerquestions and read the posts from seniors unable to find a job
Then again, mobile apps are like this tend to be junior work, outsourced to software mills that just burn through juniors cranking out garbage assembled 10% of polyfills and 90% of advertising SDKs. Yes, at this point of your career, you can still say "no" - the company will happily replace you with some other junior, while you replace some other junior somewhere else.
What if they didn't know and it's just incompetence?
The main problem is not that mcdonald's app, it's what else has the same team worked on...
Currently all coupons at or below 10 PLN are coffee, and not even cappuccino or flat white - but the "kawa czarna" or "kawa z mlekiem" which is watered down.