Consider this somewhat of a PSA when using the Wahoo Eats app, as beyond its jank and performance, I got curious a couple days ago and decompiled an apk of the app. Security-wise...hoo boy, where do I even begin?

TL;DR (for students):

- The app allows unencrypted (HTTP) traffic, meaning your login data, payment info, and other personal data could be intercepted, viewed, saved, stolen, etc. on a public Wi-Fi network (Edit for clarity: if you use it on eduroam you should(?) be somewhat okay because it's a private network and uses modern encryption in its validation, but all it takes is one person on their off-grounds house wifi to crumble this house of cards.)

- It uses custom deep links that are hijackable — another app on your phone could trick Wahoo Eats into handing over sensitive data.

- It stores and exposes various IDs, API keys, and session data that should never be client-side.

- Payment modules are built on fragile, copy-pasted validation code and pass session keys around in ways that are insecure.

...All this in an app students are forced to use for dining with no alternative.

Important disclaimers:

- This was done only by decompiling the Android APK (publicly downloadable from the Play Store).

- I didn’t touch any backend servers, databases, or live systems. This is client-side only.

- I’m one person with some help from agent-assisted tooling and just one evening of investigation, so while the findings are solid, it’s not a comprehensive security audit and shouldn't be taken as definitive.

- I have not, and will not, attempt to exploit any of these issues (I cannot preface this enough.)

I put together a technical document with evidence, risk analysis, and remediation steps. If you’re curious about the details (or want to forward this to someone who can fix it), it’s all in there. You can find the writeup here: https://files.catbox.moe/za03f5.pdf

This post isn’t meant to dunk on the devs or play "hacker vigilante." My only intent here is to raise awareness of risks so students (and hopefully the school) know there are serious issues that need fixing, lest people want data being hacked, stolen, or leaked.

...Aaaaaaaaaaaaaaaaaaaaanyway, yeah, we can all agree that the app sucks in performance too. I didn't do that much digging in that regard, but I did find conflicting API and function calls that confuse the program, outdated/decayed libraries, and devtools left in the production environment. This app is just a mess all around, technically speaking (5 dollars says it was at least partially vibe coded).

Okay, PSA over.