back to article Someone at Subway is a serious security nerd

XDA comments screen shot App hacker Randy Westergren has outed the application developer at Sandwich kingpin Subway as a serious security nerd. The hacker set sights on the Subway Android app, which allows uses to order and pay for sandwiches from their devices, in a bid to uncover possible vulnerabilities. He instead …

  1. Lusty

    "Security" is starting to do my head in. Dominos made me set a long complex password a while ago to protect my previous orders from ne'er-do-wells. I really don't mind folks hacking my pizza history, that's why my old password was "password". You're not a bank, Dominos, you're a pizza shop. I'll never let you store my credit card data even if you did offer that. Same for Subway and any other like them. Make my life easier, not more secure. Place appropriate security on your processes, and sack anyone doing security for security's sake.

    1. ratfox Silver badge

      I do hate it when websites I really don't care about force me to use a complex password, often with weird rules such as "at least one special character not in ,.*$-+". This forces me to create a new password unique to this site, which I'm guaranteed not to remember six months later when I first need it again. If you have to ask such a password, make sure your recovery options work well.

      1. A Non e-mouse Silver badge


        What's even worse, is when a website claims your password is invalid and "not strong enough" when, actually, your password is too strong and their web application can't cope with it.

        BTW - remembering strong passwords: Isn't that what password managers are for?

        1. ratfox Silver badge

          Re: @ratfox

          I don't like the idea of password managers, because it means I would likely forget even passwords which I use all the time. Then it would be a real problem whenever I need to use a device on which I can't use the password manager (my wife's phone, machines with install constraints, etc.) I'm not too comfortable having a lot of important data stored in a single place either; seems risky.

          But maybe I'm just too lazy to try.

        2. Anonymous Coward

          Re: @ratfox

          "BTW - remembering strong passwords: Isn't that what password managers are for?"

          No, that's what post-it notes are for...

      2. Nolveys

        Writing password complexity verifiers is pure joy. You start with a list of rules, there must be a number here, a capital here, a non-letter-or-number here, etc. Then, when the user tries to set a password, you tokenize the password into capital letters, lower case letters, numbers and other character groups.

        You then iterate the rules over each token until one of the rules fails (which is guaranteed to happen for all but one rule for each token). Then you return an error message to the user describing the failed rule and the position at which the rule failed (but not subsequent rule failures, as those have yet to be determined and if they had stating them would ruin the fun). At this point the first rule is thus decided and we are ready to start the next attempt, thereby determining the next rule. If there is only one token then an arbitrary next rule can be selected.

        As the number of attempts is arbitrary it needs to be set to some value. I find that four is the correct number for things that people don't care about and will abandon if password verification fails too many times. Things that people really need to access can usually be set to ten.

        My goal is to hit forty.

        1. Anonymous Coward
          Anonymous Coward

          You also need helpful error messages:

          "That password has already been used by ${USERID}. Do you want to log in as ${USERID} instead, or do you want to pick another password?"

          1. ratfox Silver badge

            "That password has already been used by ${USERID}. Do you want to log in as ${USERID} instead, or do you want to pick another password?"

            Oh, I'd love that one to be implemented by my bank.

            What has also happened to me at least twice is that after forgetting and resetting my password, I study the weird rules for creating a new one, craft a brand new password, only to get an error message saying I'm not allowed to re-use the old password.

        2. Kubla Cant Silver badge

          Password verifiers

          The enterprise incarnation of MS Windows evidently includes a feature that allows the BOFH to implement a complex set of password rules without telling anyone what they are. So on the day when you start a new job,and you have 100 other things to remember, you have to go though this:

          Computer says "You have to change your password at first login."

          You enter a new password from the range of passwords you can remember.

          Computer says "No. Does not conform to rules."

          You enter a mangled version of one of your memorable passwords.

          Computer says "No. Does not conform to rules."

          ...repeat many times with increasing mangling until...

          You enter an impossibly complex password that will conform to just about any rules. It is 30 characters long and includes uppercase, lowercase, digits, punctuation, whitespace, runes and hieroglyphs.

          Computer says "Oh all right then."

          You immediately forget the complex password.

          1. Anonymous Coward

            Re: Password verifiers

            Then chose something like "OMG seriously? day one and I have to remember another password!",

            That is roughly what you were thinking when challenged for the new password, the two are already linked, make a phrase out of it and fit that phrase to the complexity rules.


            Say it to yourself a few times, you could even write the longhand down as part of your first notes.

            Passwords are hard if they don't flow or have no links to the situation. If you build passwords from long phrases the compressed result can be pretty good and you can have the seed in plain sight. Try not to choose phrases like "looking forward to punching X!" unless that is all you can think about, in which case you probably won't need to write it down.

    2. Jay 2

      I've got a (rarely used) account with Dominos. A few weeks back I attempted to use it, but for various reasons I couldn't log in and the password reset machanism was completely broken.

      So I ordered from Papa Johns instead, who on reflection make better pizza anyway.

      1. Anonymous Coward
        Anonymous Coward

        Papa Johns (UK) are unrepentant spammers though. :(

      2. Michael Wojcik Silver badge

        So I ordered from Papa Johns instead, who on reflection make better pizza anyway

        This seems to imply that Domino's sells pizza. Is that new? The last time I had "food" from Domino's it didn't meet the minimum criteria for pizza.

    3. Lamont Cranston

      Quite agree.

      This nonsense is why I'm locked out of the Just Eat and Hungry House apps. All for the best, though, as those companies are useless parasites on small businesses, and the man in my local curry house is a lovely chap to chat with on the phone.

      1. JDX Gold badge

        Re: Quite agree.

        Main benefit for me is I can pay online for delivery, as most local places don't provide this.

        Also, half the time when I phone up the combination of noisy work environment and language issues means I'm fairly unsure quite what I've ordered and where they're going to send it.

      2. Tezfair
        Thumb Up

        Re: Quite agree.

        When the wife rings for an Indian, she gets as far as 'Can I order an..' when the chap at the other end says 'Hello Marie'.

        Always get a freebie included. Bet you don't get that with an app

        1. Anonymous Coward
          Anonymous Coward

          Re: Quite agree.

          Yeah that bloke is weird calls everyone Marie.

          Wish I'd have known that the first time as it would have saved buying that dress.

      3. Anonymous Coward
        Anonymous Coward

        Re: Quite agree.

        I hate Just Eat's latest stupid ad campaign with a passion, so have vowed never to use them.

        1. Chloe Cresswell

          Re: Quite agree.

          I used to use them a lot.

          Then I was issued a new debit card, and can only pay by card now if I'm having it sent to my home.

          As 90% of the orders were when I was out on the road, that meant I had to pay cash (if I had any), and if I'm paying cash, I might as well skip the middle man and ring somewhere direct!

    4. PassiveSmoking

      And when your credit card gets p0wn'd, I'm sure you'll be the first to whine about it.

    5. Stevie Silver badge

      I'll never let you store my credit card data even if you did offer that

      And just how, pray, do you prevent them from doing that if they really want to?

      Plus: Your credit card data are intended to be publicly revealed. To think that a credit card is secure over a blind tele-transaction is optimistic to say the least.

      Naive pizza customer is naive.

    6. Anonymous Coward
      Anonymous Coward

      480 pizzas at 8pm tonight?

      Order placed.

  2. Trevor_Pott Gold badge

    Subway devs employ security by design

    About time. I hope the chaps behind this app get bought up by some top end development houses and spread their approach far and wide. Preferably attached to salaries large enough to buy themselves private islands.

    Good job those folk.

    1. Lusty

      Re: Subway devs employ security by design

      Why Trevor, the article even says that their methods were pretty trivial to bypass? Not that I don't think they shouldn't be rewarded for being competent, our industry could certainly do with a few more competent people...

      1. Pascal Monett Silver badge

        Re: "the article even says that their methods were pretty trivial to bypass"

        Not quite.

        The article quotes : Westerngren says certificate pinning and signature verification are laudable goals for application developers but will only "slightly impede" reverse engineering

        That means that it is not difficult to pick the app apart, which is rather logical. It is, however, more difficult to tamper with the app without said app noticing it, and the pic in the middle of the article clearly shows that you don't get away with it easily.

    2. Mark 85 Silver badge
      Thumb Up

      Re: Subway devs employ security by design

      We beg for security by design and I'm guessing there will be more than one commentard berating Subway for this. I realize it's only a sandwich shop, but if they can do it, so can the bigger chains and they should. It may not be the best security but it is a start.

      1. Lusty

        Re: Subway devs employ security by design

        "We beg for security by design" actually most around here tend to beg for choice such as third party firmwares which this seems to not play with. Ask yourself, out of all the commentards, how many would prefer not to be able to use an app for ordering a sandwich compared to how many are happy that a sandwich app is so secure they can't use it with their modded phone?

        Security is fine where appropriate, and banks should definitely do this stuff, but ordering a sandwich just doesn't justify this.

        1. nematoad Silver badge

          Re: Subway devs employ security by design

          "Security is fine where appropriate, and banks should definitely do this stuff, but ordering a sandwich just doesn't justify this."

          Oh and what happens if a person uses the same password on a lot of site, trivial or not. You lose one, you lose the lot.

          "The weakest link" and all that.

        2. djack

          Re: Subway devs employ security by design

          "Security is fine where appropriate, and banks should definitely do this stuff, but ordering a sandwich just doesn't justify this"

          I'm not even sure that banks should be doing some of the checks that they do. Such as rooted device checking. I was given the choice of running a stock firmware with known vulnerabilities (updates no longer being produced by the manufacturer) and being able to use my bank's app, or running an updated custom firmware that my bank deems to be insecure.

          1. John Robson Silver badge

            Re: Subway devs employ security by design

            @djack - running an updated custom firmware that my bank deems to be insecure.

            Your bank doesn't deem it insecure, they just haven't checked.

            And why should they, care I mean. It's the OS - that's the user's responsibility isn't it?

          2. Dan 55 Silver badge

            Re: Subway devs employ security by design

            Doing certificate checking properly is great but I'm not sure what checking for root is supposed to achieve.

            Channel 4 also tells you off for having a rooted phone, even though CyanogenMod despite being pre-rooted is probably one of the most secure firmwares out there. The end result is I don't use their app, not I don't suddenly see the error of my ways and downgrade to stock 4.1.

            I suppose Privacy Guard needs a 'don't allow app to detect root' option in the list of permissions, if Android is that fine grained.

  3. Anonymous Coward
    Anonymous Coward

    They're watching

    It's an NSA honeypot, if you order falafel and spiced lamb with mint yoghurt sauce you're obviously middle eastern and a 'person of interest'

    1. Mark 85 Silver badge

      Re: They're watching

      Or you could be suspected of being a peadophile after all the news about "Jerod" lately. Oh, wait.. that's not NSA watching them. That's GCHQ if I remember right...

      1. Anonymous Coward
        Anonymous Coward

        Re: They're watching

        "Or you could be suspected of being a peadophile"

        That only happens if you add lots of peas to your overpriced sub. (*)

        In Jared Fogle's defense, AFAIK the raid on his home was evidence gathering related to the former director of his charitable foundation having been arrested on several paedophilia-related charges. It's not clear that there's any evidence Fogle himself was involved in similar activities.

        (*) Assuming Subway offer "peas" as a topping. Which they probably don't.

  4. A Non e-mouse Silver badge

    Apples & Oranges

    I don't think certificate pinning or O/S checks are intended to prevent reverse engineering. They're there to try and ensure that someone isn't doing something nasty to the end-user. (e.g. fake Subway's servers)

    Without hardware assistance, I believe it's quite hard to truly prevent reverse engineering of a software. All you can do is insert traps to slow people down,

    At the end of the day, the app developers took some time and trouble to make reasonable efforts to protect the service they provide and they were slapped down by someone seeking some publicity.

    1. Jad

      Re: Apples & Oranges

      Absolutely, low hanging fruit and all that.

      It's the same reason you shred all your financial documents (and letters from school, and Virgin, etc) so that it's hard to get information from them ... you can't stop a really determined person getting data back from shredded paper, but if someone else has non-shredded paper with all the details you want on it they will go there first.

      1. Anonymous Coward
        Anonymous Coward

        Re: Apples & Oranges

        you can't stop a really determined person getting data back from shredded paper

        Burn it, and stir the ashes well. No possibility of recovery/reconstruction from that (with foreseeable tech).

    2. Yugguy

      Re: Apples & Oranges

      Agreed - anything can be broken with enough skill and time.

      He's basically a digital Mr. "You don't want to do that"

  5. Anonymous Coward
    Anonymous Coward

    Hold the cucumber!

    No comment re security, just hold those awful cucumber slices!

  6. TeeCee Gold badge
  7. JulieM Silver badge

    Expensive locks on cheap flimsy doors that lead to empty cupboards

    My Inner Paranoiac says it's precisely the sandwich ordering bit they don't want you poking about with.

    Think about it. If there existed an open and extensible protocol for describing the construction of a sandwich, possibly extending to querying ingredients actually available, that might actually be useful to the consumer of sandwiches. A single app could query multiple sandwich shops and direct you to the best match for your requirements. There could even be multiple, competing sandwich apps not locked to individual vendors. How about a vegan sandwich app that won't allow you to select real butter, honey or m**t; or one for grown-ups with imaginary friends that won't let you order bacon, or anything at all on certain dates when supposed to be fasting? (Possibly even dodgy ones that order extra salad without you asking, or won't let you ask for certain ingredients without a paid upgrade).

    Absent any such thing, we face incompatibilities which arise by accident and are maintained on purpose to lock us into the same vendors. The Subway sandwich app exists not to make it easier to buy sandwiches from Subway, but to make it harder to buy sandwiches anywhere else.

    1. Jim 48

      Re: Expensive locks on cheap flimsy doors that lead to empty cupboards

      I've got to ask, why the hell is 'meat' (I presume, from the context, that that is what the 'm**t' is) bleeped out? Is it some kind of vegan trigger warning and if they see the word written out in full they will instantly want a bacon sandwich (on sliced white, no butter, brown sauce). And of course they'd never be able to figure it out for themselves, like dogs and the b-a-t-h.

      1. Sir Runcible Spoon Silver badge

        Re: Expensive locks on cheap flimsy doors that lead to empty cupboards

        " like dogs and the b-a-t-h."

        Our dog has learnt to spell, so that one's out. If I ask her to go outside and do a wee and it isn't obvious we are about to leave the house, she gets very suspicious and I think she has now successfully managed to piece together that this is a pre-cursor to having a shower :)

        1. VeganVegan

          Re: dogs and b-a-t-h

          Our cats have figured out s-n-a-c-k. They snap out of their napping mode and start licking their lips when they hear us spelling out the word.

          1. Sir Runcible Spoon Silver badge

            Re: dogs and b-a-t-h

            When it comes to actual food potential the whole spelling thing just goes by the way-side and she brings out the big-guns: telepathy.

            Seriously, you've only got to think about going into the kitchen for something and she can go from 'laying on her back with her legs pointing to the four corners of the universe' to 'stalking mode with ears in jodderal bank position' in as much time as it takes to blink :)

            1. Danny 14 Silver badge

              Re: dogs and b-a-t-h

              cup of T-E-A ?

              oh wait a min.

  8. Destroy All Monsters Silver badge

    "Because there’s something about having your life on the line."

    If the security of your Pizza is taken more seriously than the security of your Bank/Federal Outfit/Medical Provider...

    ... then you are ordering at CosaNostra Pizza!

    Uncle Enzo wishes buon appetito!

    1. Graham Marsden

      Re: "Because there’s something about having your life on the line."

      +1 for the Snow Crash reference, but, just for interest, I did a search for CosaNostra Pizza and got a whole bunch of hits from *real* stores...!!

      1. Sir Runcible Spoon Silver badge
        Thumb Up

        Re: "Because there’s something about having your life on the line."

        "got a whole bunch of hits"

        deliberate? :)

        1. Graham Marsden

          Re: "Because there’s something about having your life on the line."













          Damn... :-(

          1. Sir Runcible Spoon Silver badge

            Re: "Because there’s something about having your life on the line."

            Unintended is always funnier :)

  9. Joe Harrison

    To be fair

    I've got a lot of sympathy with everyone who just wants to buy a sandwich and doesn't see the need for top security. To be fair though perhaps they are planning some sort of electronic payment in a later version? It didn't go down well when Starbucks gift cards got the hack.

  10. Drefsab_UK

    I hate a lot of this

    Its really frustrating that this seams to be a growing trend in that if you run a custom rom then sorry we don't want you.

    I get protecting that app from reverse engineering but look at the htc one X+ it still a good and fast phone it it has 64Gb of storage but software support was dropped by HTC a while ago, meaning no lollipop no heartbleed fix let along other issue that existed (bugged bluetooth stack etc).

    Then you have the devices tied to carrier updates so the vendor may push out an update but the carrier never pushes out an OTA. Meaning even more security issues.

    However if you update to a custom rom. you can fix a lot of these issues but then that apparently makes you some kind of pariah to the likes of subway or sky / virgin media / online banks. The result is not that I switch to using stock the result is that I just don't use your app's which is not what the app developers really want. They whole point is to have their apps used. Surely a more sensible balance could be approached (look at netflix for example which works great on a custom rom and streams media even when sky and virgin cant).

  11. Martin H Watson

    Some days here I can't even be bothered to login to comment and I check the remember me on this computer box

  12. Anonymous Coward

    Damned if they do...

    I'm not sure what the story is here. It seems to me that it is usually easier to do things properly, even in instances where a bodge would be adequate, because that way, you don't need constantly to decide when "proper" methods should be used or not. In this case, a relatively trivial app appears to have confirmed to some semblance of good practice, and although that good practice may be overkill, it remains good practice. There's no particularly negative story here about excessive security other than a bit of insider criticism to demonstrate a bit of "I wouldn't do it like that" opinion. A real story would have been if it required inputting your mother's maiden name to add sliced tomato, which would have been process security gone mad.

    Beer, a better alternative to an elongated sandwich anyway.

  13. Joe Montana


    The certificate pinning makes a lot of sense, as you really can't trust CAs these days... The anti reverse engineering stuff is just stupid, as the article points out it just slows someone down slightly but doesn't actually prevent them from doing anything.

    Knowing how something works doesn't make it insecure unless the design is fundamentally flawed. Everyone has access to the source code for Linux, and yet many highly secure devices are Linux based. And if your application is so flawed that someone who understands how it works can do nasty things then i don't want to be using it at all.

    I would much rather fully understand what im using, or at the very least know that i have access to do so should i desire, and that others who's abilities i respect have already looked. I don't want to be using a black box full of security holes just waiting for the first blackhat to find and privately exploit them.

  14. PassiveSmoking

    Wow, of all people to be on the opposite end of the security bell curve from Adobe, Subway is the last candidate I'd expect.

    Having said that, it's kind of sad that an app that actually doesn't have utterly broken security is considered a pleasant surprise. This is pretty much the level most apps where money and/or private data can change hands should be aiming for

    1. Pascal Monett Silver badge

      What is really sad is the fact that you can order your sandwich online with better security than some banks can offer you.

  15. Stevie Silver badge


    Sounds like sour grapes on the part of the reviewer who, from what I can gather from the article, was interrupted in his attempt to bend the Subway app writer over for some fun by the unmistakable sensation of an order of app writer sausage sliding up between his cheeks.

  16. Gene Cash Silver badge

    Check for root & custom ROMs? Really?

    There's a fine line between security and "don't want my money" and this crosses it.

    Guess I'll be eating at Jimmy John's then!

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2020