While testing another bug on Android, I wiped my app data for the Monzo app. I was expecting this to return me to a “clean slate” state and be prompted for my email address again to get a new auth token.
This didn’t happen however, and the app opened as normal, connected to my account.
This suggests some pretty worrying things to me:
- The app is not persisting the auth token in the standard place (i.e. cache or app data)
- The app doesn’t need to persist the token and uses some sort of device id instead once authorised
- The app isn’t sending any sort of guid or entropy based key when asking for authorisation
1 is pretty self explanatory and just plain wrong if true, as wiping the app data should get rid of all settings/customisations done to an app.
2 and 3 are related, but if the app doesn’t need to store the token, the device id should be salted, or otherwise made unique per “installation”, and the salt be stored in app data. When the app data is deleted, the next time the app starts a new salt is created and the device id sent is therefore different.
This starts to become a problem if you start adding features like pin protection to the app, where you could just bypass it by wiping the app data (and thus the stored pin). The pin would be gone, but that app is still authorised to talk to the API.