By now, you've probably heard about the Iowa caucus app debacle. The app (IowaReporterApp) that was being in the caucus that failed is now out in the wild. I decided to check it out. I downloaded the APK and decompiled it, as several others have, and took a look.
As far as running it goes, there wasn't much I can do without a login. Someone could set up a new Auth0 endpoint and reroute the outbound calls to get in, but that's more than I am willing to do.
I should preface this by saying I'm not an expert React or Android developer, but looking through the code, I could pick some things out.
What we know about this application
Here are some things we now know about this application:
- It's a React Native Application.
- It uses Auth0
- It connects to a Firebase backend.
It appears the steps were:
- A volunteer (precinct chair) logs into the application with their precinct number.
- Then they authenticate with Auth0
- Enter the total number of attendees
- Enter the vote totals for the first and second round of the caucus
- Calculate how many delegates awarded for each candidate
- Send it up to Firebase.
Some of the problems reported:
- Some volunteers were not able to log in
- There was an interfacing problem with the service that verified the data (this one is being argued).
Much of these problems could have been human-caused. Many have said the login issues were caused by people putting in the wrong credentials. Certainly a possibility. I'm not going to pile on the criticism but share my observations.
Looking at the source.
So I pulled open some source code, and I noticed a few things.
- There appears to be a ton of boilerplate code.
- There are things like typos that should have been caught.
- There are hints this wasn't tested through any automation or CI/CD.
The boilerplate stuff isn't an instant strike against them. Developers shouldn't re-invent the wheel and write functions for things without a good reason. It appears this was the most simple of CRUD apps that just needed to drop some numbers into Firebase. No need for a bunch of elaborate code.
What's alarming is we don't know the skill level of the people using that boilerplate code or the effort put in to test the code as assembled.
Typos
I did find some typos in the text. Not a huge deal, except that usually if people aren't catching typos, what else aren't they catching? Typos and misspellings are the first things to be fixed with thorough testing.
Also this:
While this isn't a huge issue, it smells. The application was built and deployed from a personal machine rather than an artifact generated by CI/CD process.
You should never find local paths in your source code for a production application.
While I did find some testing and CI code in here, it's all boilerplate, so there's no indication it was run.
Conclusion
I haven't gone through all the code thoroughly and I'm not an expert, but a few things certainly popped out. While this was an unfortunate occurrence, we can learn a lot from it. It will be interesting over the coming days to see what analysis comes from this.
Want to try it out for yourself?
- You can get the APK here
- You can get the source code here