Archive

Posts Tagged ‘Quidco’

Quidco App for Android Updated – v1.0.5 and v1.0.6

August 24, 2011 2 comments

On the 23rd August, a new version of the Quidco App for Android was released to the Android  market. It claims to resolve the security problem indicated here.

v1.0.5

Quidco App for Android Updated - v1.0.5

Quidco App for Android Updated - v1.0.5

The updates include #11 – Removed debug logs..
It’s great to see such a quick response to a problem, however the raft of updates created some further bugs, and v1.0.5 was quickly superceded by v1.0.6.

v1.0.6

Quidco App for Android Updated - v1.0.6

 

Software Updates

As always, I advise you to keep all your software up to date. You can access the latest version of the Quidco app for Android directly from the Android Market.

I have not yet confirmed the claims that logging is removed and the log file created by the v1.0.4 version is deleted, will update when these checks have been completed.

Beta Testing

If you’re going to release beta software, make it by invite only, then you know who is running it.
If you get a serious issue, you know who’s affected and have a central place to disseminate information.

Wikipedia says

Versions of the software, known as beta versions, are released to a limited audience outside of the programming team. The software is released to groups of people so that further testing can ensure the product has few faults or bugs. Sometimes, beta versions are made available to the open public to increase the feedback field to a maximal number of future users.

http://en.wikipedia.org/wiki/Beta_testing#Beta_testing

 

Want To Know More About Quidco?

Read my post on Quidco – how it works and why you should sign up.

Advertisements

Quidco App for Android Logs Username, Password, IMEI and Card Details Without Encryption

August 21, 2011 3 comments

Quidco App for Android v1.0.4 – Still Just A Beta Test

I installed the Quidco app for Android from the Market a few days back, and I thought it would be nice to do a review.
However, after a bit of poking around I found a log file – Qlog.txt – with my Quidco username and password stored plain-text.

Quidco Username & Password

A quick check revealed also the app was logging my quidco userID and my phones IMEI number.
The IMEI is unique to every handset, and doesn’t necessarily relate to any individual, the SIM does that through the IMSI.

Anyway, the quidco app gets your IMEI through the READ_PHONE_STATE permission, which is requested on installation. It is shown below as Read Phone Status and ID.

Quidco App Permissions

Store Card

The app gives you the opportunity to register a credit card, for earning in-store cash back.
I read through the terms and conditions first, to see what safe guards are in place to protect my data.

T&C Section 2

Great! My card details are only stored and processed in encrypted format..

Screen grab was made after bug found, to illustrate the problem, but log file is exact except redactions.

My Card 8888..

Logged Un-Encrypted

Data Protection Fail.
Please note, the screen grab of card number was made after the bug was found, to better illustrate the problem, but the log file is exact except redaction.

Further Development

This fault has been reported to Quidco, un-installing the app does not delete the log file.
My handset has root privileges, you may be able to view or delete you own log file without root.

Update; the Quidco response to this issue is

..that the android version of the Quidco app is only a test version and this is not meant for use at the moment.

We have not launched the android version of the app so any personal use of this is completely at your discretion as we are currently running our own tests on this to ensure everything is ready before our official release.

If you have any worries or concerns, contact the app developer or read the Information Commissioners Office guides;

Disclosure of personal information
If your personal information has been disclosed in a way that you did not expect you can complain to us.

http://www.ico.gov.uk/complaints/data_protection/supporting_evidence.aspx#disclosure

Security or loss of personal information
If your personal information has been lost or is not held securely you can complain to us.

http://www.ico.gov.uk/complaints/data_protection/supporting_evidence.aspx#security

I’m sure it’s possible a malicious program could be written to extract these details from your log, and gain full access your quidco.com account.
You do use a different username and password for all sites, don’t you?