← Back to context

Comment by maeil

18 hours ago

I'm about 90% sure that for some inane reason, McDonalds outsources and creates separate apps for each country/region with these disastrous security flaws, except that at HQ they universally demand horrifically counter-productive "anti-root" measures for every locale, to a larger extent than even finance apps.

Why am I so sure about this? I live on the other side of the world, the app is almost certainly an entirely separate codebase from the Polish one the article is about, and yet here too it has the worst anti-root measures of any app by any remotely large company, including finance, healthcare and government apps. Enormous numbers of false positives. Even for those with the most mainstream Android models around.

This will all just come down to one person at McD's HQ who is forcing through these ridiculous ideas and costing their company a bunch of money in the process. No other multinational employs this strategy to any similar degree.

6 comments

maeil

Reply
JimDabell  15 hours ago

I’ve worked on apps like this for companies like this. What happens is that their IT department mandates an expensive pen test for suppliers, anti-root requirements are on the pen-tester’s generic checklist, and most companies won’t push back on the pen test results. If you do, they normally fold and admit it’s not required.

  • gabeio  13 hours ago

    Pen-testers? People do it for auditors as well! $OLD_JOB literally took one of the auditor’s questions to heart and decided that the question meant they needed to separate the databases physically for each client, they didn’t realize they could have just said “logically separated”. People are more scared of these checklists than they really should be.

  • maeil  15 hours ago

    It's literally only McDonalds though who goes to this degree and does so across different codebases in locales across the world. The departments you're talking about exist in many places, but no other big company has their apps be like this so consistently.

dv_dt  17 hours ago

In news press about similar nonsensical and costly business decisions some of them end up being an exec getting kickbacks or other self dealing

arccy  18 hours ago

think of it as each country being its own company, contracting out to a local software house which may have different ideas of what security means