Subway has taken its mobile app security very seriously. According to mobile app whitehacker Randy Westergren – very, very seriously.
The hacker set his crosshairs to the Subway Android app, used to order and pay for the famous sandwiches, to uncover any potential vulnerabilities. What he found instead is an app slapped with certificate pinning and operating system modification checks usually reserved for high-end net banking apps.
"Subway was using a custom app signature verification process in order to prevent reversing of their APK (Android app file)," Westergren writes in a blog post (opens in new tab), detailing on his actions.
"[There was] an interesting attempt at preventing reverse engineering, though it actually only caused a slight delay.
"This is a great example of an app taking security very seriously, but I'm not quite sure of the reasoning behind the root checking process."
He praises the developer, but saying certificate pinning and signature verification will only “slightly impede” reverse engineering.
“This is a great example of an app taking security very seriously, but I’m not quite sure of the reasoning behind the root checking process. Though certificate pinning and signature verification techniques are generally a good idea, they only slightly impede the reverse engineering process.”
This means that if a smartphone user decided for a custom ROM on his / device, he won’t be able to order the sandwiches through the app.
Subway did not say who developed the app and it's not apparent who did. As security breaches increase in frequency and its consequences cost businesses more and more money, companies have started taking cyber security seriously.