You know what they say about the road to hell and good intentions? The latest example can be found in the form of “Reporta,” an app developed by digital marketing agency RevSquare on behalf of the International Women’s Media Federation. The app is intended to provide additional safety tools to reporters working in the world’s trouble spots, letting them keep contacts appraised of where they are and send an SOS in emergencies. However, upon reverse-engineering it, Motherboard has determined the app is fundamentally insecure.
Motherboard notes that the app uses Google Analytics, and actually caches the user’s locations unencrypted on the device before sending them to Google’s servers—making it easy for someone with access to the reporter’s phone to track down exactly where they’ve been. It also uses an insecure encryption method when connecting to its server.
In response to criticism, the IWMF has announced it will be open-sourcing the app. However, this doesn’t placate the security experts who continue to express concerns over the application.
“They’re not releasing their audit reports … nor are they apparently planning to fix their fundamentally broken model where they have access to all their users’ information,” [independent security researcher Eleanor Saitta told Motherboard]. “Even assuming their code is completely clean, until they do both of these things, it’s still a complete security risk and should never be used.”
It’s hard to fault the IWMF for wanting to help keep reporters safer. But any reporter contemplating using such a system should be aware that there are no shortcuts to personal safety and security, and trying to take one could end up landing you in trouble. And organizations like the IWMF should probably be aware that trusting marketing agencies to handle mission-critical security matters is probably a bad idea.