Protect Your Users by Learning from Quip

Earlier this week, news reports surfaced of a security hole in a popular mobile application for sharing photos. The program, called Quip, enabled iPhone users to send picture messages to any phone without using carriers’ MMS technology, which often requires an extra monthly fee. Quip sent text messages or push notifications with a link to a web page where the recipient could view the intended picture. According to the developers of Quip, users have sent over 3 million photos using the service.

But those 3 million photos did not only reach their intended viewers. The application uploaded pictures to a public web server with no encryption or authentication, and even worse, the addresses of the files followed a simple, predictable pattern. Once someone posted the information to a popular link-sharing site, Internet users began posting links to images that ranged from racy to disturbing. Intrepid voyeurs even identified people in the photos and found their accounts on various social networking sites.

Addy Mobile, the company behind Quip, reportedly shut down their servers and turned off access to the servers hosting images, but not before many of the pictures were downloaded and re-posted on other web sites. The founder of Addy Mobile issued an apology and promised to keep the service offline until they built better protection for uploaded files. He noted that the company had only three employees but said they would work quickly.

The unfortunate Quip incident provides a real-life illustration of many security lessons, but one in particular stands out: Developers need to think about security aspects of their projects from the beginning. Online resources make it very easy for anyone to learn programming, but that same ease of access can lead to a three-person product handling three million files. While mistakes happen and foolproof security can be difficult, if not impossible, to achieve, building basic precautions into Quip’s system could have avoided embarrassment and difficulty for many end users. Security is not simply a feature or add-on – in today’s connected world especially, it is an essential part of product development.