The app’s flaws should call the turnout of last weeks events into question.
Disclaimer: I never attempted the following with my own account since I did participate in Homecoming this year. Every scan in I did was legitimate, and the following article should not affect the validity of my own participation.
Now that that’s out of the way, let’s get right down to it. Student Association should not have used the ConnectTU app for signing in for Homecoming. I have significant issues with ConnectTU’s security, considering the way it stores credentials and how you log into the app (not securely), so I’m not the biggest fan of ConnectTU in the first place.
However, I started having a bigger issue when I saw how SA was using the app for Homecoming. SA had a picture of a QR code by a table and that was how people scanned into events. This method of signing in has two issues.
First, it assumes everyone has a phone with them. This is an invalid assumption. Not every student on campus has a phone capable of supporting the app. This assumed privilege on the part of SA shows just how out of touch they are with the students they claim to serve. With simply scanning a student’s ID, there is no assumed privilege; as a student of the university, you have an ID.
However, the second issue is the crux of this article. Unlike scanning a student’s ID, which ensures that the student is actually at the event, QR codes aren’t specific to a location. This might mean that students could simply take a photo of the QR code and pass it on to other people in their Homecoming group who would then just scan the QR code to sign in without actually attending the event.
So obviously, I had to try this. First, I found several friends who were not participating in Homecoming. Then, I went to Fall Fest and took a picture of the QR code. I drove over to my friend’s off campus apartment and had them try to scan into the event … and it worked.
From what I can tell, this scanning in does not actually check a student’s physical location, only that they have access to the QR code. Just for giggles and kicks, I had a friend try to sign in after the event ended; it lets you do this too, but it does record the sign in time. SA might have thought of this and be able to check if students signed in outside of the time of the event, but there seems to be no way to validate where they signed in from.
This means there is no actual way to verify that all of the sign ins to the events are actual students who actually attended the event, and after this article, I would put no trust in the validity of any competitions SA does that involve the use of the ConnectTU app for headcount. Were all of the sign ins for this year’s Homecoming valid? There’s really no way to tell, and this is why SA should stop using ConnectTU immediately.
If anyone from SA wants to know the full process of my tests to attempt to invalidly sign in, please feel free to contact me.