Android App security patching

realestate.com.au Android app security fix

Earlier this week REA Group released a security update to its realestate.com.au Android app.   This corrected how usernames and passwords are sent from the app to its servers when users sign in. This vulnerability was never present in the iOS version of the application.

The team at REA Group would like to thank industry security guru Troy Hunt for bringing this vulnerability to our attention. It was disclosed responsibly to us, giving us time to confirm, patch, test, and release the fix. Troy’s work is insightful and interesting – if you have a chance to read his blogs or see him speak at a conference, you won’t regret it.

AndroidLoginScreen

 

Fix It!

From a security team perspective, we are proud of our response. We became aware of when it was disclosed to us on Sunday, and it was patched by Monday.

Our dedicated security team has grown over time, and consists of staff recruited from within the business, as well as specialist expertise hired into the company. As a security team, our engagement with our developers is a critical part of our model. The teams know us, and we know who we need to go to.

The human factor, the goodwill we have built by going beyond a model of IT security as the ‘security police’ permits us to approach and work closely with the development teams when there is an issue, without delay.

On a tech front, REA Group’s development teams have invested heavily in automated build pipelines and Test Driven Development. This permits us to have confidence in their builds, with regression testing ensuring that past problems don’t get repeated.

Android App Map Area

What next?

While we believe we responded in a timely fashion to this alert, the fact is the vulnerability existed in the first place. This is where our organisational culture within REA helps us – a key component of how we work is that we try and make sure we learn from our mistakes.

Since we were made aware of the issue, we have been asking ourselves deeper questions (beyond the obvious questions around how this technical mistake was made). This is a practice we’ll continue to ensure our IT security is at its best.

At REA, we understand that the trust of consumers and customers is paramount – it’s why all of us in the security team come to work. Whilst discovering vulnerabilities in production apps can be frustrating, it also motivates us (and the teams we work with) to continually push to raise the security bar.

Aaron Wigley and Dick Ward, REA IT Security & Risk