Perspective from our Fausto Oliveira, principal security architect
The incident looks like a typical example of a lack of proper testing.
“If the error conditions in the app had been properly tested, this type of issue should have been caught by the quality assurance department and never seen in production,” he told Threatpost. “It is unfortunate that often in the rush to go to market, shortcuts are taken and due-diligence testing is skipped in favor of meeting a release date. It also raises questions as to why wasn’t this information encrypted so that even if it was written to a database it would be unreadable and also how come individuals had access to a copy of the database? A proper design would have ensured that any records accessible on the mobile device would be encrypted using per user keys and that the device would only have access to the information that was relevant to the specific user.”
Read the full article at threatpost website.