Evan Schuman: Wal-Mart is latest big company with mobile-app security problems

Walgreens also joins the list, as it becomes increasingly obvious that companies aren't doing enough security testing.

The evidence keeps mounting that companies that put out mobile apps are not paying nearly enough attention to security. Even big companies with large and experienced IT staffs are guilty. In fact, the latest evidence suggests that the iOS mobile app of the largest company in the U.S., by revenue, Wal-Mart, exposed user information, including geolocation details. The retailer is famously IT-savvy and is said to owe much of its success to what goes on in the back office.

Wal-Mart has already addressed many of the issues raised by Daniel Wood (CISSP, GPEN), an independent penetration tester, and says it is fixing the geolocation problem.

Wood conducted the testing at the request of Computerworld. He also spotted security failings in Walgreens' iOS mobile app.

The Wal-Mart app also displays an extensive list of recently viewed and/or scanned products, which could prove quite embarrassing if viewed by a co-worker, date or relative. ("Stocking up on condoms, Father Smith?")

The list of large companies -- including Starbucks, Delta, Facebook, Match.com and eHarmony -- whose Android and/or iOS mobile apps have been found to reveal far more information than the companies knew has been growing. Besides Wal-Mart, we can now add Walgreens to the list. Its iOS app's Pill Reminder function encourages shoppers to photograph their prescriptions, but it seems that those images are stored unencrypted and available to anyone. The app also stores the full name and user ID of customers, not encrypted but encoded (Base64) -- which can be easily unencoded and accessed. Walgreens plans to fix both security holes within days, said Abhi Dhar, chief technology officer for e-commerce at Walgreens.

Dhar said Walgreens had expected shoppers to take pictures of prescribed pills -- showing an orange circular pill or a blue rectangular capsule, for example -- but many have been photographing the prescription labels. When executives realized that, he said, they knew Walgreens needed to up its security.

The unencrypted information stored in the Wal-Mart app is available on any device that isn't protected by a password. Password information was at risk in the encrypted iTunes backup -- something that Wal-Mart just now fixed.

The fact that it has been fairly easy to find mobile apps with security problems suggests that the apps developers have not been doing enough testing. I'm sure that large companies do lots of pre-launch app testing, but I'm willing to bet that it's overwhelmingly functionality testing, not security testing. I'm confident of this because Wood has been able to find all manner of glitches with just a few hours of testing. And I strongly suspect that a lot of the testing that is done involves running automated scripts. Wood's testing was done by someone looking at the code and spotting problems.

In Wal-Mart's case, we don't know. "We do extensive security testing, and we don't disclose how we test security, for obvious reasons," said Wal-Mart spokesperson Dan Toporek.

Toporek also said that "our iPhone app has and continues to use the iOS default or higher levels of security. We appreciate the feedback, as we're always looking to drive the highest levels of security to prevent even these types of unusual scenarios. We are continually enhancing the app and are fixing the issue that was storing geolocation information."

The point of all of this is not that Wal-Mart and Walgreens were especially reckless when it came to security -- although both could have certainly done more -- but that many of the largest companies with the best IT talent are still not focusing sufficiently on mobile app security. And if they're not, what are the chances that small companies are? Mobile app security needs to get top-tier IT attention, and it needs to happen now. I assure you: Cyberthieves and corporate espionage agents are already on it.

Join the CSO newsletter!

Error: Please check your email address.

Tags WalgreenssecuritySSPmobile securitycomputerworldmobile apps

More about DeltaFacebookMatch.comStarbucksWal-Mart

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Evan Schuman

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place