Someone at Subway is a serious security nerd
I'll have a 12-incher with the lot, hold the p0wnage
App hacker Randy Westergren has outed the application developer at Sandwich kingpin Subway as a serious security nerd.
The hacker set sights on the Subway Android app, which allows uses to order and pay for sandwiches from their devices, in a bid to uncover possible vulnerabilities.
He instead found an app slapped with certificate pinning and operating system modification checks usually reserved for high-end net banking apps.
"Subway was using a custom app signature verification process in order to prevent reversing of their APK (Android app file)," Westergren says .
"[There was] an interesting attempt at preventing reverse engineering, though it actually only caused a slight delay.
"This is a great example of an app taking security very seriously, but I'm not quite sure of the reasoning behind the root checking process."
Westerngren says certificate pinning and signature verification are laudable goals for application developers but will only "slightly impede" reverse engineering.
The app security controls mean sandwich fanciers will have to wait in line rather than order remotely for a fast pickup if they have opted to exit the often stalling vendor operating system update process and instal custom ROMs on their devices.
Subway did not say who developed the app and it's not apparent who did, based on LinkedIn bragging.
Westergren has previously revealed flaws in applications including the popular My Fitness Pal app that leaked date of birth details, found means to pop Verizon's FiOS internet service, and developed a cheatbot for hit app Trivia Crack. ®