How many companies use open source libraries and frameworks without any due dilligence? Read this article of an instance where malicious code was injected into node.js npm library and the target was copay bitcoin wallet to steal bitcoin. What steps companies do or should take to prevent such snafus to their products and customers? https://medium.com/s/story/exploiting-developer-infrastructure-is-insanely-easy-9849937e81d4
Isn’t this what basic traffic analysis should flag?
You make a good point but how many companies do that for their mobile apps that runs on customer devices? Also, what if the traffic doesn't occur all the time but programmed to transmit once a month or so. Companies may check how app is behaving with their backend but if the application runs on a mobile users device outside of your control and how could you monitor all the IP requests that app is making and even may be complicated by zero day exploit. In that scenario, traffic analysis may not help. Thoughts?
This was a node issue, not a mobile app issue.
Me
This tends to be a pretty agregious problem with Node and Ruby.
Companies should review everything that goes in their products. Accepting precompiled binaries and not reviewing source code is asking for trouble. Developers got sloppy and lazy.
So your company doesn’t use OSS library security scanning services? Thanks for letting me know how vulnerable your isht is.
Pull request a counter virus to the master branch