In a day and age where mobile apps are heavily relied on for business, social interaction, and everyday activities, we have to ask: is there really a place for mobile apps in our election system? Or, more importantly, do we emphasize the security of mobile apps enough to allow them to play such a critical role in our elections? The coding errors revealed at the 2020 Iowa caucuses is a sobering reminder that this is not the case just yet, and many developers have a long way to go when it comes to developing applications that are secure enough to hold a place in our election system. So, what happened in Iowa? What can we learn from it? Let’s discuss.
What Happened in Iowa?
The Iowa caucuses were held on Monday, February 3rd, 2020, and what should have resulted in a clear winner only resulted in confusion, frustration, and ultimately, distrust in the election system. After the 2016 elections, where there was much discussion and skepticism over hacking and foreign interference in the election, the stakes and expectations around election integrity in 2020 are high. As the infamous first caucus took place, Iowa instantly fueled more fears about the 2020 election season when they contracted a third party, Shadow, Inc., to create a mobile application that would tally the caucus results.
As the caucus took place, precinct leaders quickly realized the mobile app did not operate as intended. Many received error messages upon login filled with undecipherable tech jargon. Others simply could not get the mobile app to open. The developers apologized for the delays through a series of tweets and a statement on their website, but the realizations about the app, its development, and the negligence on behalf of the Iowa Democratic Party were striking.
From IDP Chair @troymprice:
"While I fully acknowledge the reporting circumstances on Monday night were unacceptable, we owe it to the thousands of Iowa Democratic volunteers and caucusgoers to remain focused on collecting and reviewing incoming results." https://t.co/Xog0CDZa7A
— Iowa Democrats (@iowademocrats) February 6, 2020
3 Key Takeaways from the Iowa Caucus Mishap
As we often point out at KirkpatrickPrice, vetting vendors is one of the most important decisions a business will make, and in this case, the Iowa Democratic Party is learning that lesson the hard way. When they partnered with Shadow to provide a mobile app for tallying purposes, they failed to investigate the development procedure and status of the application before using it. Instead, they blindly trusted this third party to provide a secure mobile app that ultimately was released in a beta version. When thorough code review or penetration testing isn’t performed before putting an app into production, it can have damaging effects.
Mobile App Security
With an influx of IoT devices and mobile apps, DevSecOps is a hot topic and security must be ingrained in the development process instead of being something that developers review after the product is made, or even worse – after it’s put into production. In Shadow’s case, they failed to thoroughly test the product before allowing it to be used. This is especially surprising because they were contracted to create this app specifically for the Iowa caucuses. They released a beta version knowing that it could encounter errors and have trouble being used by large amounts of users. According to some reports, they didn’t even distribute the app through Apple’s App Store or the Google Play Store – both of which have rigorous security testing measures in place. Why didn’t they do this? What motivation was more important than securing the app used for such an important event?
Relying on Personal Devices
Regardless of the security issues found within Shadow’s app, the mere fact that the Iowa Democratic Party instructed precinct leaders to download the untested, unsecure mobile app on their personal devices is asinine. Personal devices are increasingly susceptible to vulnerabilities that can easily be tampered with and exploited by malicious third parties.
While what happened in Iowa outraged many people and further heightened the fear of yet another year with election issues, it’s not the first time an organization failed to properly vet a third party, nor is it the first time a mobile app developer failed to properly undergo thorough security testing, like the kind of mobile app pen testing we offer at KirkpatrickPrice. And, unfortunately, it’s likely that this won’t be the last time. As technology develops and continues to modernize the way we do business and go about our lives, we have to consider if we are ready to modernize our elections. Do we value security and privacy enough to ensure that our election system won’t be compromised by negligence or malicious users?