

Skout: a devastating privacy vulnerability - squidsoup
http://corte.si/posts/security/skout/index.html

======
nwp90
I can't quite decide whether hiding the stupid with SSL would be a good thing
or not. If done properly (incl. pinned cert(s)), it would mostly hide the
stupid, which would help protect users - but also make it less likely that
users would ever know just how bad the app is.

------
jonny_eh
Why do they not use SSL? Every mobile app should use SSL to communicate with
their API. Apple should look into making this a developer guideline (i.e.
reject apps that break it).

~~~
askimto
That's a problem generally, but not the fundamental problem here.

------
squidsoup
Sadly, I suspect this is a case of developer neglect and laziness. I'd imagine
what has happened here is the developer has serialised the entirety of a User
model, rather than carefully only exposing properties required by the client.

Hopefully this will act as a cautionary tale for anyone designing an API.

~~~
rhizome
Certainly they're serializing the entire user, and I'm guessing they just
figured, "let the client sort it out." In other words, a lack of backend chops
that would establish proximity and age (per examples in the blog post) based
on the request and the user requesting the data.

------
wyck
| Skout immediately suspended the service for teenagers and went through a
security re-vamp

Guess that wasn't such a great re-vamp.

