0

We have an app to order food from restaurants but the app developers decided not to verify any of the information provided by the restaurants like the location and opening hours. Why this decision might pose a threat to the privacy and safety of users?

Kevin
  • 1,643
  • 9
  • 20
Memo
  • 9
  • 2
  • Is this a homework question? It's an odd situation and question to ask without context. – schroeder Nov 17 '18 at 22:27
  • 1
    No, it is not homework but I am interested in information security and I believe there are so many apps in mobile provide food order service but they do not verify the restaurants' information. – Memo Nov 17 '18 at 23:10
  • You'd need to add more information for us to tell you what kind of threats there are. – forest Nov 18 '18 at 01:46
  • 3
    In your question you don't ask if these accounts pose a threat but instead you already claim that these pose a threat - and then ask others for the information which might support this claim. For me this looks either like a homework where you were given this claim to prove (which you deny) or that you got this claim from somewhere else without providing a source for this claim and how this unknown source supported this claim. In this case please add these missing details to your question. – Steffen Ullrich Nov 18 '18 at 08:58

2 Answers2

2

Your question lacks context. So, here is some (too) input:

Information security is about three things (order is not of importance):

  • Technology
  • Processes
  • People

Your example is lacking in "process" - i.e. how does the information get into the system? So, your question is how secure is a system when the information in it may be false.

That depends on the system. There are systems, such as games, where "truthness" of the information is not needed. However, if it is a game, the users are aware that the information is fictional. If it is not a game, but a public service (like the restaurant you mention), then the users should be made well aware that the information is not verified. And then the question comes "who owns the information", i.e. who is responsible. If you order and pay, and then the restaurant is in another city and refuses to deliver, what happens? These are part of the "processes" mentioned above.

In my view, the app owner has some responsibility to verify the information, and cannot claim as being an entirely neutral provider. Just to store and process your personal information, they will certainly be obligated by some regulation to comply to some security norms, depending on which country they are in. And I doubt any security auditor will give them the go-ahead in this case.

But I find your question a good example of information security -- showing that it is not only the technology (SSL, encryption etc.). It is processes. And people of course.

papajony
  • 454
  • 2
  • 8
1

When the app does not verify the submitted restaurant data, then it might be impossible to find out who listed a certain entry. It is possible that some restaurants listed on the app do not actually exist. So these "restaurants" receive orders, but they never deliver. Why would they do this?

  • They want to collect personal identifiable information. The non-existing restaurant receives the customers home address and food preferences and then they sell it to someone. In a few weeks, the customer will receive plenty of personally addressed advertisement material for other food delivery services which offer similar dishes.
  • If the app allows the customer to pay up front, a restaurant might be able to receive money without providing a service. Usual etiquette for food delivery is to pay in cash when the food arrives, so this might not apply. But be careful if the app also handles payment.

But even if the restaurant actually delivers, not being tied to a verified physical presence can put the consumer in a number of bad situations:

  • Restaurants might try to impersonate more renowned businesses in order to steal their customers. The customer thinks they are ordering from restaurant A, but they are actually served by restaurant B who delivers a worse product for the same price.
  • The food actually comes from the right restaurant, but the delivery person is rude and the food doesn't taste good. So the restaurant gets hit by several bad reviews. A week later, they remove the restaurant and repost it with a slightly different name and address. They now have a clean slate again.
  • The food is not just bad, it is harmful. They violate various health code regulations and various customers get food poisoning. The customers look for someone to sue, but then it turns out the restaurant was listed under a fake name with a fake address. Nobody can tell where that food actually came from, so they have nobody to press legal charges against. With the actual cook being unknown, they might try to press liability charges against the app provider instead. I am not a lawyer, so I am not qualified to estimate their chance of success, but just having to deal with such lawsuits is pretty annoying and expensive.
Philipp
  • 48,867
  • 8
  • 127
  • 157