DEV Community

Cover image for The Fabulous App
Alfredo Salzillo
Alfredo Salzillo

Posted on

The Fabulous App

Episode 2: The Fabulous App

In January 2019, on Instagram, I see the publicity of a fabulous new social network and meeting app.
At the time the app was not released yet, but they are searching for sponsors.

A little quote from the web site of the app.

Our powerful service is possible thanks to a great team, a high performance server stock and a strong vision of what we want to achieve

On the site, there was a section with a list of sponsors, about 50.

Intrigued from this premise I go on looking at the staff.

The Staff

Developing high-quality business strategies and plans ensuring their alignment with short-term and long-term objectives; leading and motivating employees to advance employee engagement develop a high performing managerial team. Overseeing all operations and business activities to ensure they achieve the desired results and are consistent with the overall strategy and mission.

The Founder of this "startup", describer in the quote above, is an Italian, maybe a student in something or maybe not, was not clear at the time, neither is now.

The staff is composed of (always from the site)

  • 2 Graphic Designers
  • 1 Local Trade Manager
  • 1 Multimedia Manager
  • The Founder

OH, but..., wait for a moment, if you are confused, I'm still now, you are not alone.
Exactly. They are developing a meeting social network mobile cross-platform app with ZERO DEVELOPERS.

You just need to wait

Not afraid of the absence of developer I go on following the project.
The initial release date was set in March.

  • March: the Founder announced that they had some problem and the release was delayed of two months, but they release some video, with some amatorial naked models to sponsor the app.
  • April: another video is released with a release date and a list of the app partnership with some famous Italian clubs.
  • May: they say that have sent the app in revision on the play store and app store and started taking away some bracelets in the clubs with the app logo on it. They also started a premium program from the first 2000 users giving away promotional code on Instagram.
  • July: for Google the app is ok, but Apple has refused it.
  • The end of July: the app is released.

Perfection

And, I have to say it, the app is perfect beyond my imagination.

  • A beautiful login page
  • A beautiful logo
  • A beautiful design
  • A beautiful user experience
  • A lot of users
  • In two weeks 0 bug

I'm kidding.
The app is a very mess.
Is not usable, a lot of lag, and glitch on the interface.
Starting from the opening animation was clear to me that the app is not native.

I started thinking, what technology have they used? What framework?
And after 5 minutes of usage the response: an error appears on the screen saying that the ajax method was not found.
JQuery, Cordova, Bootstrap, a lot of this technology started to jump into my mind.

But I need proof.

The terror

After decompiling the app, all of my nightmares become true.
The app was made with Cordova, using JQuery and Bootstrap. The code was a mess, old javascript code copy-pasted from the internet without any idea of ​​what was being done.

It starts to be clear to me that, not only developers weren't mentioned on the site, but also they haven't one.
Maybe the Founder or the Multimedia Manager have put this shit together.

But it can always be worst. From the code, I get all the API used and started trying some of that.

The backend is made with PHP and deployed on apache on a private server.

I do log in, using my credential and get an authorization token to use for the other API.
I get the list of the user near me.
I get the first user id.
And nothing more. I was scared of what I discovered.

The profile API response contains the field password with a value encrypted with md5.
So, every one Know that exists some online site with a collection of decrypted password, how someone can use to decrypt the password, right? And what everyone knows is that people use the same password for everything.

But why make take so complicated, why you need to decrypt the password when the profile API response contains the authorization token of the user?

Now, I'm a good guy and I don't do these things, but using that token you can read all the user chat, chat with private information suck phone numbers and private pics, it's a meeting app.

I'm a good guy

After discovered that anyone can read others chat or steal their password I contacted the Founder.

Three weeks later the security problem is not resolved. The Founder says that it's still a beta, and there are other things they are fixing.

I think they haven't a developer. I think they at least should mail users letting them know that the app is very insecure, that someone can read their chat and steal their password. I think the app should be removed from the stores until the problem is fixed.

But my problem is another, how they can think that doing a meeting app is so simple that they don't need developers? They want to do a meeting app with only designers.

And now, what would you do knowing the app in insecure?

Top comments (1)

Collapse
 
xorti profile image
Jorge Sá Pereira

Nice reading. 👌
Is this the same Fabulous App (habits)?

Google the quote on The staff section and you'll see were it came from. You might be surprised.

resources.workable.com/ceo-job-des...