1/17/2025 at 2:10:37 PM
I'm about 90% sure that for some inane reason, McDonalds outsources and creates separate apps for each country/region with these disastrous security flaws, except that at HQ they universally demand horrifically counter-productive "anti-root" measures for every locale, to a larger extent than even finance apps.Why am I so sure about this? I live on the other side of the world, the app is almost certainly an entirely separate codebase from the Polish one the article is about, and yet here too it has the worst anti-root measures of any app by any remotely large company, including finance, healthcare and government apps. Enormous numbers of false positives. Even for those with the most mainstream Android models around.
This will all just come down to one person at McD's HQ who is forcing through these ridiculous ideas and costing their company a bunch of money in the process. No other multinational employs this strategy to any similar degree.
by maeil
1/17/2025 at 4:38:15 PM
I’ve worked on apps like this for companies like this. What happens is that their IT department mandates an expensive pen test for suppliers, anti-root requirements are on the pen-tester’s generic checklist, and most companies won’t push back on the pen test results. If you do, they normally fold and admit it’s not required.by JimDabell
1/17/2025 at 7:03:07 PM
Pen-testers? People do it for auditors as well! $OLD_JOB literally took one of the auditor’s questions to heart and decided that the question meant they needed to separate the databases physically for each client, they didn’t realize they could have just said “logically separated”. People are more scared of these checklists than they really should be.by gabeio
1/17/2025 at 4:53:13 PM
It's literally only McDonalds though who goes to this degree and does so across different codebases in locales across the world. The departments you're talking about exist in many places, but no other big company has their apps be like this so consistently.by maeil
1/19/2025 at 7:36:21 AM
Other companies do similarly ridiculous things. I’ve personally had to push back on this in non-McDonalds companies, and I see others out there with the same kinds of problems. For instance, Starbucks has a different app for different countries, and they region-lock them. So if you have an Apple ID registered in one country and you visit another, you can’t use install that country’s Starbucks app to order. Which is super unhelpful when there’s a language barrier because you are in a different country.by JimDabell
1/19/2025 at 4:07:42 PM
I've had the websites of two American store chains (Napa and Publix) block me while standing inside their stores because my prepaid eSIM from airhub.com geolocates to Israel. I'd really like to know what's in the heads of people who come up with this sort of crap.by Zak
1/22/2025 at 10:32:51 AM
> I'd really like to know what's in the heads of people who come up with this sort of crap.They probably think that geolocation always perfectly works based on the physical location and don't consider edge cases like people with roaming SIMs (which is what I think a lot of those cheap data-only eSIMs effectively are) geolocating to their home country even when abroad.
Though by now you'd think that people are aware the e.g. the Google/Apple app store region locking basically locks out all tourists, but it seems that even that isn't necessarily common knowledge…
by iggldiggl
1/17/2025 at 3:19:15 PM
In news press about similar nonsensical and costly business decisions some of them end up being an exec getting kickbacks or other self dealingby dv_dt
1/17/2025 at 2:29:55 PM
think of it as each country being its own company, contracting out to a local software house which may have different ideas of what security meansby arccy
1/17/2025 at 7:14:16 PM
[dead]by throawayonthe