Outsourcing Development by Saskia Coplans

hello lovely people stop speaking and listen to me because it's all about me for the next half hour I think we're starting uh first things first new shitty pictures of me on the internet please if I look like a gargoyle and you post it online I will hunt you down right welcome to my talk uh Outsource development what's the Worst That Could Happen [ __ ] who am I I'm regretting My Life Choices um right so I am saskia plants I am an award losing security specialist never won an award when a lot of Grants though we'd much rather have money than Awards um and I am the co-founder and director of both digital Interruption and Rec

scan and so digital Interruption is a cyber security consultancy and Rex scan is like a vulnerability management SAS Tool Company sort of thing but we're kind of not really operating at the moment so there's racks in the corner really really [Applause] this is the story of trade to create something truly beautiful by getting other people to do it for us I mean we're super tacky security people you know learned about security and we know super clear instructions What could possibly go wrong

in 19th century the U.S Supreme Court ruled that abortion was recognized as a constitutional right so this meant that individual states couldn't restrict abortion when this was overturned in 2022 many states started to restrict access to Sexual Health Care so following this change there was a lot of advice particularly on social media that people should like delete their period tracking apps so this whole idea that you could be trapped through the apps that it could be used to prosecute you um and as a result a lot of consumers did start to question all of these different period tracking apps um but some of those apps decided to cash in on it one in particular who we

won't mention Stardust and they basically said that they had encryption that meant that they could never hand over your data and which kind of doesn't make sense because encryption doesn't mean data can't be handed over so let's just kind of start with that encryption basically means that you can decrypt something it's just it needs to be decrypted by the right people it doesn't make data impossible to read it just makes it harder to read and it turns out that much of the data within this specific app actually was visible um and they were already sending it to third parties as many apps do and governments absolutely have the right to compel any company to hand over

data so let's take the app telegram for example they argued that they couldn't share data because of the gdpr and then they allegedly went on to share IP addresses phone numbers all sorts of data with American Russian and even German authorities so all of this tells me that the people who made this specific period tracking app don't really understand the technology that they're talking about and they really don't understand security and the reality is that the period tracking apps that we're addressing it's not just them that they that are tracking you because this comes down to how mobile technology is built when you use apps they're constantly passively create they're collecting data about you and that data is more detailed when it's

on a mobile device so when you don't download a mobile app like you're setting up an account and you give that account certain permissions you need to give those permissions in order for that to be able to work so you might have like a mobile number as part of that account or a device ID and this allows you to log in you may be connecting to other apps on your phone so you might give it like permissions for location tracking or it might be that you're giving it permissions for photos for quite a lot of them it might also be your health tracker as well so it made therefore start collecting data like geolocation your physical

movements online behaviors your browser history Biometrics in order to get in there might also be your specific Health Data and if you've used Google or Facebook toolkits in order to create the app usually data is being sent to them because as part of that toolkit that is embedded within it so you actually have to like take that off to stop the app from sending that data so sixty percent of mobile applications that have been built using meta or Google will automatically start sending data back to meta and Google and because all of this links to your device all of this data can be aggregated and it can be subpoenaed so it's not just the period tracker that

might be used in evidence so for example if you are moving between States because you're looking for abortion care it's not just this period Tracker Where did you stay did you use an app for travel to book accommodation to message a friend which apps were using your location movements did you leave your phone at home but who's home did you take time off work who did you tell and with you I don't know why I put something about Apple watches in there but with apple watches as well recording certain health statistics all of this can build a picture but we're smarter than the app right we can game it there are privacy protections that Shield you

but in short no it simply works that most of these apps actually cannot function without taking this data it's literally how they're built but what about the gdpr well it doesn't cover any countries outside of the EU and it's really quite a weak regulation food trackers such as clue they're saying that they won't share your data but they can't guarantee this for what about HIPAA well usually period trackers are not covered by privacy laws such as HIPAA and even if they were a 2019 study found that 79 of Health apps were available on the Google Play store and they use like regularly shared data and were far from transparent well what if I log a false period Well

apart from that negating the whole point of having a period tracking app you've already put the data in and that data's been time stamped so it can actually show that you have changed that data and finally even if you revert to using a pen and paper there's all sorts of stuff where I'm sorry I don't know why I'm doing such a bad job of this today I'm going to take a breath and have a sip of water and try and regroup it is it's because I'm hungover I'm terribly sorry I've never actually done a b-sides Leeds talk sober and I'm really in that Tradition at the moment and I know that this is being recorded which is absolutely tragic

um but there we go so with rewards of up to ten thousand dollars up for grabs for anybody who Dobbs somebody in um who's going for for going for an abortion it's increasingly difficult to know who you can trust in this kind of situation foreign so this raises a question do people who don't understand technology and absolutely don't understand security have any business making an app that could be so high risk so after giving several interviews on this subject it all started to feel quite feel quite depressing but then I remembered that I run a software house and I literally could make something that would be better than what was currently available so we decided to do a little experiment

and we made Lex with an L not Rex with an R it's got terribly confusing well I say we made it we designed it and then we outsourced it because I decided that it would take too much time to do it in-house so what is Lex well it's an offline open source General secret set General symptom tracker with settings for periods and menopause it has no back end the data stored locally and you can export the data and store it yourself there are no ads there are no in-app purchases or trackers and it's completely free you can use it to track any symptoms for any condition it has a pretty extensive list of symptoms that

you can choose from and if you want to add in your own symptoms you can do that too it will Loosely predict ovulation and PMs if you want it to but that can be disabled if you delete the app all of the data will be deleted with it we don't take an email a mobile number a name or a device ID no back end means that we will never see any of your data it's pin protected on login and there are some additional security features that are explained within the app you can download all the data from re-uploader at any point should you wish to share it or if you need to take the app off the device without losing that

data for any reason the idea is that it would be built or at least tested using rexcan so you could say that Lex is protected by Rex you know like in the movie where the T-Rex attacks the Raptors and saves everybody but most of all the idea was it was simple and secure and is its non-commercial and released open source the community could maintain it right so all of this seems pretty simple pretty straightforward we threat modeled it we designed it we just need someone to make it so we're already one step ahead of all these other apps I say simple I've had to explain menstruation to a lot of people

he told me penis to people yes be penis to people don't understand ovulation was brilliant oh once I'll tell you later so two five oh we went got in touch with a Fiverr recommended account that specializes in mobile apps we are looking for a simple offline four-page mobile app I said the purpose of the app is to track menstruation and menstrual symptoms along with General Health symptoms I said and this is kind of important because it's not just about menstruation there are all sorts of um illnesses that are criminalized in different ways and so for example in certain Asian countries if you don't do a certain amount of steps per per day it will invalidate your insurance actually

having certain symptoms of certain illnesses can invalidate your insurance in a lot of countries mental health is criminalized effectively in a lot of countries so the idea of having privacy around health is really really important I said the atmos be able to predict ovulation Based on data at it and a PMS window Based on data added we can supply the algorithm I said the idea is it's simple and secure again I I said we need no back end data stored locally no in-app advertising it must not be developed using Google or Facebook meta advertising as they have back doors that will send that data to matter third party libraries should be limited and if you're going to use them

you need to clear it with us Fiat must allow data to be exported and imported in CVS format the CVS file should be written to disk and then in and then a password sorry should not be written to disk and a password protected zip file should be created which contains the CVS file CSV thank you I keep saying CVS and I think it's a store yeah csb not going to drink before the next talk honestly I'm usually much better than this any data that's saved locally must be encrypted doesn't mean it can't be read uh the app should be protected with a pin which needs to be which you need to access the data stored in the app and

then we wanted to have a secondary pin that would bring up false data so if you were asked to put your pin in under duress by law enforcement you could put in the false pin it would bring up fake data clever right so security requirements very very clear requirements were sent over pins should not be brute forcible pin should not be stored in plain text a secondary pin that can be set will show fake data when it's inputted the data should be local I.E we don't want apis data should be encrypted when exported with a user supplied password introducing Lex

it crashed constantly you could select but not deselect a symptom you could add your own symptoms but you could never delete them when you did select a simple symptom it duplicated it it predicted ovulation and PMs but only in the past sorry only in the future and never in the past it did something weird with a calendar too lowly did something really weird with the calendar but this is all the stuff that I could see I'm not technical I just couldn't get into the [ __ ] thing and when I did it did all sorts of crazy [ __ ] so any non-technical founder would be able to say this is a piece of [ __ ] and

go back to my five I recommended mobile developers and say fix this crap but what about the stuff underneath yeah like what about the stuff that wouldn't be picked up by Rex I any idiot can put something through Rex we designed it in that way there's stuff underneath so we did put it three racks so the report was 71 pages long it picked up 59 vulnerabilities now some of these will have been false positives many of them are from the libraries that they used however this is a very very simple app it's basically a calendar and no libraries without our permission was a key requirement however this was just a first pass so we did a manual code review and a

penetration test and that brought up even more they're the SQL injection the pen was brute forceful the pin was stored in plain text the symptoms were stored in plain text the secondary pin was the same as the primary pin all data was being stored in the device unencrypted data was exported unencrypted it was riddled with third-party libraries including Facebook advertising and there was a vibrate function and we don't know what that was for but we think they might have misunderstood something around vaginas so let's drill down to these issues a little bit tell them about the calendar like one of the things it did was um like you said later the next one but then if you put your period

from the month and then you end up with like lights off on the back of each other the events that we're adding in all right I think they've done something where instead of using like a proper calendar library they had just basically divided everything by 365. like the dead stuff they just basically chopped where the spaces would be indeed so you know like if you have a date 25th of January or whatever it was 25 space well that's definitely the days that's definitely the moments the next one's definitely years so it just crashed all the time because he's trying to pass against it so much just so much data it was absolutely Bonkers all the shared

preferences files were unencrypted so that meant law enforcement agency would be able to see the pin because it was in plain text um yeah Android actually do provide encrypted shared preferences and those can be protected with Biometrics um I'm gonna go back I'm sorry I think one of the other things was just the amount of duplications in the code yeah the whole thing was copy pasted um instead of using functions they just basically had constantly copied and pasted throughout the app So Not only was it ginormous but it also meant it was really really difficult to fix anything which when you've got SQL injection embedded in the code isn't really like a good thing and bearing in

mind that we don't have a back end so that's not such a big deal this is being released open source so any old git can take it off GitHub and reproduce it and there's really not very much that we can do about that now if they were to then put it onto a SQL database it would have been instantly vulnerable to that there was no lockout mechanism for the pin at all so just very very easily brute forcible um now there are ways that you can reset and bypass and do all sorts of stuff with with the the like brute forcing stuff it isn't it is more kind of complicated than just you know putting certain security elements in

place even we struggled with that but it's the fact that they didn't even try um the duress pin being the same as the normal pin meant that it brought up the same data so basically it just meant that there was the option for two pins um and the libraries that had used they had used were just ridiculous they were so old they were so out of date we actually found one of the libraries online didn't we which was the talent of it was actually someone else's yeah and they'd also copied and pasted um tutorials on how to make an Android app into it

and also there was a problem with the CSV file but it shed to the uh stored to the wrong place Well it Well it just started where it didn't ask you where it was it just built it somewhere it was yeah um you didn't export all the data either because they've done it off by one when they were looking through the data so it was basically exported the date and then sent to me and then not the severity because they started yeah as you can tell Paula Knight Paul and I had a lot of fun with this app so what was the fix well we removed all the duplicated code and I say we I mean

tommen Paul Rheumatology okay code and put functions in place we removed the third party libraries and we wrote the code properly we added a property rest pin so now the user can put in their own dummy data they decide what that data looks like we fixed the data download issues we added encryption we removed the vibrate function could leave it in it's open source add it in if you want [ __ ] we fix a sequel injection this took months it took absolutely months and it cost about 10 times what we paid for this app and we are still not finished we really hope that it will be available soon so I can release the damn thing but rather

than just scrap it and rewrite it from scratch which Tom begged me to do several times yeah Mama's a [ __ ] I fell and I put in the I put in the talk we but I felt that this was actually a really valuable experience and understanding the difference between MVP and dangerous pile of [ __ ] especially when talking about very high risk apps that could be pushed to a large audience and then monetized so what's the conclusion for this well in short if you're going to release this kind of app you really need to have somebody on the team or adjacent to that team who you trust who understands technology if you don't understand technology you

should not be creating stuff like this certainly not from Fiverr because it's dangerous but that's really easy to say right well no if you've got an idea and it's tech for good reach out to the community devs testers security [Laughter] Dave's test security people they will all help you understand risk and the difference between MVP and dangerous particularly with security we never shut the [ __ ] up we love to talk about it we love to consider ourselves experts on everything if you're going to release a project consider open sourcing it in the first instance usually there's a free version of something anyway to get people hooked or interested just do it open source if

you do it open source then people are going to help you build it from the community they'll help you understand things find out about tech Google secure app development read some blogs watch some YouTube go on Twitter in the end all rows lead to a wasp and finally if you're creating something that is a revenue creating product um assigned proper budget make sure you have experienced technical people with proper cadept credentials who can steer you and advise you and if it's high risk for the love of God get it pen tested it my apologies for this Dreadful talk any questions

when you can't Brute Force the pin you already have well what's the one that we've got outstanding it's one of the security features it was to do leaves the way about this secure preference password was stuck in his private particular preferences we wanted to have it so that you couldn't take the data so when we solved that yeah yeah so I don't mind releasing something open source with quite possibly the world's shittiest code um but releasing something open source that is my attempt at pounding other people for being insecure that's insecure as [ __ ] probably isn't going to be good for my reputation as an award-loosing security specialist who does great talks when hungover and

certainly doesn't have to take a break drink some water and start again after having taken a press

Studio how much did we pay for it how much did we pay for people for it yeah they mugged me for 350 pounds I paid them because I could not be asked to have a fight with them but I literally did you not know

but in escrow okay so like it's just sitting in fiber because I I said to them I will pay you for your time because you have done work but the work is of safe of Oddity I think that you should you should charge us less and then they started arguing and then I got bored and then I just kind of left it and I think they also got bored so it's just fitting in favor so maybe we'll get like a credit note for Fiverr and I can make some more shitty apps and do talks about them with a hangover and do a really bad job of it come once hit me it's not it's Segway to

myself assistant and my friends asked them to them to protest for the reversible Robbie wave and there issues to do it on the basis that that data might need might be needed nice they probably couldn't delete it usually in my experience of having worked with companies when they say that they can't for a certain reason it's usually they can't for a certain reason it's usually that they physically can't they actually don't know how to get in the back end and delete stuff because it always been built since then require a few other friends or statues well I mean everything's a transaction isn't it it's like one of the things that we were really Keen about with like was that it

wasn't passing this data back into other organizations because we've all heard like the shitty story of the girl that got chucked out of her house because she was using a Walmart card and Walmart figured that she wasn't buying tampons anymore therefore she must be pregnant and then started sending advertising for baby formula to the house and her dad found out and moved them out so we were really really concerned that that kind of stuff wouldn't happen with Lacks and it really was actually quite interesting just how many pitfalls we found as a security company to make something that was completely secure the lesson of trying to unpick and hurry so together your face you hate me

one of the problems I am the best employer in the world dress papers only the first time with the accident

I mean that is a good point it was really secure from the point of view that law enforcement couldn't get in it because it crashed all the time but that was kind of a bit of a problem because neither could we resolutions because all the controllable resources I think I know the time sorry [Laughter] I still do I think I think we're dumb people thank you very much