The app provides many features already served by student IDs. courtesy Involvio

ConnectTU app connects with my phone’s trashcan

Doubts of security and abused functionality make SA’s ConnectTU a no go.

As freshmen this year have learned, TU really does have an app for that. First, it was the orientation app that told students the orientation schedule (because apparently freshmen can’t be trusted to keep track of a paper schedule?). Now, the app-centric way of living has come to all students. From the Student Association that brought you Involvio, a seldom used app that was meant for advertising events to get SA funding, comes SA’s newest app: ConnectTU.

Unlike Involvio, however, ConnectTU has new functions that mean you actually might have to download it. If you went to First Thursday the first week of classes and wanted food or the SA T-shirt, instead of scanning your ID, something every student had, you had to scan in using ConnectTU’s check-in functionality. Not only did this require students to download an app before they got food, it also assumed everyone had a phone with them, one that can download apps (flip phones work on a college budget) or one to begin with. Not everyone has a mobile phone, SA.

Then we get to the setup of the app. First thing you see when you open the app is a blank white screen with a blue ‘next’ button. Honestly, this is when I lost confidence in the app. They throw this product into production without actually having a fully fleshed out user interface or loading screen on first use.

Next, it asks you to sign in with your TU credentials. This is a red flag. I don’t trust mobile application security as a rule. I’ve spent my summers breaking products that took more time to design than this, and having a TU student’s login credentials gives an attacker access to everything from Harvey to their student email. Sure, we might trust Microsoft’s single sign on, but do we trust how that request is sent or any of ConnectTU’s own requests? I sure as hell don’t. Lots of apps send information like passwords in the clear because they think that security isn’t needed or the requests can’t be intercepted.

If you decide to grit your teeth and login, you then see the app itself, which has several different features. If you’re naive enough to go ahead and turn on notifications when it asks you, it will turn them on for every single possible “channel” that it puts you in. This feels very much like a bad Slack knockoff. Each of these channels is supposed to be a place for actual discussion, but with users like Mike Pence and Adam Smith, these channels are just memes and show that no one takes this app seriously.

Now, SA wants us to use the QR code feature to scan in to different SA events, but to do this we give this insecure app access to all our photos. Definitely doesn’t seem worth it to me. Plus, this is just another set of information that could now be intercepted and give an attacker access to so much about a TU student.

The only thing of vague value that isn’t a complete head scratcher (apparently you can make calls through the app?) is that it does have the actual TU events calendar. Granted, it’s tiny and not very detailed, but with digital signage going away, it might actually have to be used (SA wants two forms of advertisement to count a program as fundable and who wants to chalk in De- cember?).

I was definitely not impressed by the ConnectTU app, and with my doubts as to its security, I for one do not plan to use this app in the near future, even if it means I miss out on a T-shirt or two. It’s definitely not like there are free t-shirts anywhere else on campus, after all.

Post Author: Hannah Robbins