Jason Koebler, Joseph Cox, and Emanuel Maiberg, writing for Vice, provide a look at the app that was supposed to make it easy for volunteers to report the results of the Iowa caucuses.
Motherboard asked six cybersecurity and app development experts we trust to analyze the app. The app was built on top of React Native, an open-source app development package released by Facebook that can be used for both Android and iOS apps, according to Kasra Rahjerdi, who has been an Android developer since the original Android project was launched, and Robert Baptise, a white-hat hacker who has exposed security flaws in many popular apps and reviewed the code. Rahjerdi said that the app contains default React Native metadata and that it comes off as a "very very off the shelf skeleton project plus add your own code kind of thing."
"Honestly, the biggest thing is—I don’t want to throw it under the bus—but the app was clearly done by someone following a tutorial. It’s similar to projects I do with my mentees who are learning how to code," Rahjerdi said. "They started with a starter package and they just added things on top of it. I get deja vu from my classes because the code looks like someone Googled things like 'how to add authentication to React Native App' and followed the instructions," Rahjerdi said.
"The mobile app looks hastily thrown together," Dan Guido, CEO of cybersecurity consulting firm Trail of Bits, told Motherboard.
So the app has the look of something that was written by someone who's a newcomer to programming, rather than someone experienced.
To properly login and submit results, caucus chairs had to enter a precinct ID number, a PIN code, and a two-factor identification code, each of which were six-digits long. "We saw a lot of people entering their precinct ID instead of their PIN in the PIN spot. There were some issues with not knowing where to put what credential, which is a difficult thing to design around,” Niemira said. “Having to sign in with three different six-digit numbers is confusing on the best day, but it was a call that was made in order to help keep this process as secure as possible.”
The app required users to keep track of 3 different 6-digit codes and enter them in the correct fields, during a confusing, high-pressure event. And those users are all volunteers, from a demographic that's not known for its fluency with technology. That's a complete failure of user-experience design.
According to state records, the app was built in several months at a cost of $63,182.
"We started our engagement with the IDP in August and began requirement gatherings and beginning to develop the app at that point, so we basically had the month of August, September, October, November, and December to do it, though requirements gathering takes a long time, so we didn’t have a final production version of this until pretty close to caucus time," Niemira said.
The app was done in a rush, with no time to think through the requirements and create a design that would be usable, secure, and fault tolerant. Let alone to create code that was well-tested and robust. Or time to adequately train users and ensure that they had the app installed and working several weeks before the caucuses.
Election security experts have been saying for years that we should not put election systems online, and that we shouldn't be using apps to transmit results. And, if U.S. election officials are going to use apps like this, that they should be open to scrutiny and independent security audits.
“We were really concerned about the fact there was so much opacity. I said over and over again trust is the product of transparency times communication. The DNC steadfastly refused to offer any transparency. It was hard to know what to expect except the worst,” Greg Miller, cofounder of the Open Source Election Technology Institute, which publicly warned the IDP against using the app weeks ago, told Motherboard.
Stamos echoed that sentiment. "Our message is that apps like this should be developed in the sunlight,” he said, “and part of an open bug bounty."
Politicians seems to be allergic to doing things out in the open, with the full scrutiny and criticism that comes with transparency. This debacle is the inevitable result of secrecy, penny-pinching, tight timelines, and hubris.
∞