Mobile app security testing of the McDelivery app, a home delivery app for McDonald’s India, shows that the app leaked the data of 2.2 million of its users. The research from Indian cyber security firm, Fallible, claims that the data was leaked through McDonald’s app. McDonald’s has said its users financial information is safe, with the data containing details of names, phone numbers, email addresses, home addresses, social media profile links and home location coordinates. The data was available to any potential attacker via sending a curl request to the API endpoint without any need to authenticate.
Fallible had notified McDonald’s about the security loophole on 7th of February and the issue could not be fixed despite continuous efforts from the global fast food chain. After getting little response to its findings, Fallible decided to publish them for the public on 18th March, 2017.
McDonalds has now updated its app and fixed the issue. This example shows the need for frequent mobile app security testing and testing of the API.
In a statement sent to the Times of India, McDonalds said, “The website and app has always been safe to use, and we update security measure on regular basis. As a precautionary measure, we would also urge our users to update the McDelivery app on their devices. At McDonald’s India, we are committed to our users’ data privacy and protection.” As per usual, this shows the uncertain approach to crisis PR messaging when companies get hacked, with the statement ambiguous as to whether McDonald’s accepts or denies that that the app had a critical vulneralibility.
India is far behind in how it enforces rules and regulation regarding data privacy and protection in India. Companies in India use a light touch approach to data protection compared to stricter countries such as the United States, European Union or Singapore.
Codified Security is here to help make your mobile app secure whether it’s for iOS, Android, or to make sure you’re clearing the OWASP Mobile Top 10. For mobile app security testing try out Codified Security.