How to Sign In
Cengage Technology & Computing Blog
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
X
Debacle
27 Views
0 Comments

[Reading Time - 2 minutes 37 seconds]

 

"Debacle" is perhaps the best way to describe what happened earlier this week (Feb 3 2020) with the app that was used for tallying the votes from the Iowa caucuses. It was a clear recipe for how not to securely develop an app.

 

On Monday night Iowa caucusgoers gathered at about 1,700 sites across the state to tally support for their preferred Democratic presidential candidate. The results from the different polling places were to be entered into an app developed by the Colorado company Shadow, and these results were to compiled with the results announced later that evening.

 

But everything went terribly wrong. Why? It appears that because standard app development and basic security practices were simply ignored.

 

Developing an application requires several different stages. These stages include development, testing, staging, and production. An application development lifecycle model is a conceptual model that describes these different stages involved in creating an application. And there are several detailed models and guidelines by the National Institute of Standards and Technology (NIST) and others that are often used as a framework for secure app development.

 

Evidently Shadow completely ignored these when developing their app for the Iowa Democratic Party (IDP). Here is a short list of the errors that we know about so far from various sources:

 

  • The app appears to have been very quickly developed and was followed by several different patches.
  • Screen shots that have been shared in the media show that the software was updated on January 24, January 30, and February 1, last only two days before the Iowa caucuses.
  • Testing of the app was intentionally delayed until mid-January. Why? It was an attempt to keep it away from potential hackers.
  • The IDP declined an offer from the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) to test the app.
  • The app was not distributed through an app store like Apple's App Store or Google Play. Instead, the app was released through the sites TestFairy and TestFlight, which are testing platforms for mobile phones. By not using an app store for the distribution is a double whammy: the security of the app could not be examined and approved by the app store, and the security protections on phones may have had to be bypassed in order to allow the installation. This bypassing is called jailbreaking on an Apple phone and rooting on an Android device.
  • When users launched the app, several basic functionalities failed. The authentication component did not always work. And some users could not even complete the installation.
  • There was very little training provided on how to use the app.

There has been significant fallout from this debacle. A recanvassing of the results had to take place. It took until Friday (Feb 7 2020)--four days later--for the results of the Iowa primary to finally be announced. Now the Nevada Democratic Party has announced that it will not use the Shadow app for its state caucuses later this month on Feb 22.

 

But that doesn't mean that those states that don't use the Shadow app are in the clear (pun intended).

 

A recent report by the cybersecurity research firm McAfee found that most election websites operated by local governments in the "battleground" states are not part of the ".gov" domain. Having the .gov domain name makes these sites more difficult to spoof. Of 1,117 counties in 13 key states (which account for 201 of the 270 Electoral College votes that determine the winner of presidential contests) a whopping 83.3 percent did not have the .gov validation, McAfee said.

 

What's more, only about half of the state election sites use SSL/TLS encryption (aka "HTTPS" or the padlock icon on your web browser), according to McAfee. That means that the tallying of votes is sent in the clear. It could be possible for the election results to be intercepted and altered before being sent on.

 

What happened in Iowa was a debacle. Let's hope that the other 49 states learn from this disaster and work hard to make their election sites secure.