It was not properly distributed properly through app stores
Photo by Chip Somodevilla/Getty Images
The mobile software developed to tally votes in the Iowa Democratic caucus yesterday has taken center stage in an ongoing controversy over who exactly created it and why it was deployed in such a sloppy state. Now, thanks to Motherboard, we know what the app looks like, and the error screens that specific precinct leaders encountered as they attempted to call in vote totals last night.
The app was created by a company called Shadow Inc., a for-profit software firm that says its mission is to build political power for the progressive movement by developing affordable and easy-to-use tools for teams and budgets of any size.
TheNew York Times reported that many precinct chiefs had trouble simply downloading the app, and Motherboards screenshots give hints as to why that might be. The app was not deployed through traditional app stores or even sideloaded using an enterprise certificate. Instead, it was deployed through the TestFairy testing platform, which is similar to Apples TestFlight and used predominantly for Android and iOS apps that are not yet finalized.
Screenshot: Motherboard
Testing platforms are common for mobile apps, and are one of many ways in which independent app developers and large software makers can deploy test software without going through the sometimes rigorous App Store and Play Store review processes. This is primarily to let developers squash bugs and ensure the app can run on a variety of different devices, some of which may be using outdated operating systems and powered by older, less powerful components that may render the app sluggish or just plain inoperable.
In this case, however, it looks like Shadow used a test platform for the apps public distribution, at least for Android users. (TestFairy provides an iOS installer platform, but it is not clear if Shadow used TestFairy for the iOS version of the Iowa Recorder App.)
Installing software through a test platform or sideloading onto your device manually both come with security risks, as app store review processes are designed to discover whether a piece of software is hiding malware or does something behind the scenes its not supposed to. In the event you do sideload an app or try installing an unofficial version, your smartphone typically warns you of the risks and asks if you want to proceed. Its also a less stable model for deploying software at scale, which might explain the difficulty precinct chiefs had in downloading the program.
Shadow used the free tier of a testing platform to distribute a critical mobile app
The screenshot from Motherboard also shows that the app was distributed using the platforms free tier and not its enterprise one. That means Shadow didnt even pony up for the TestFairy plan that comes with single sign-on authentication, unlimited data retention, and end-to-end encryption. Instead, it looks like the company used the version of TestFairy anyone can try for free, which deletes any app data after 30 days and limits the number of test users that can access the app to 200.
According to the NYT, Shadow was also building tools for the Nevada Democratic Party, but earlier this morning, the Nevada party said it would no longer be using Shadow for its upcoming primary. We had already developed a series of backups and redundant reporting systems, and are currently evaluating the best path forward, William McCurdy, the state Democratic party chairman, told CNN.
The issues, of course, werent restricted to the overall lack of review and testing or the security oversights the Shadow app just plain failed when it was needed most. Motherboards screenshots showing the error screens for the app indicate it was experiencing a variety of unexplainable errors, and that it was communicating this to the poor precinct leaders with garbles of technical nonsense they were no doubt unequipped to parse during the time-sensitive reporting process.
Screenshots: Motherboard
Multiple caucus chairs reported problems with not only obtaining the app, but logging in. Zach Simonson, chairman of the Wapello County Democratic Party in Iowa, explained today in The Washington Post, that the party didnt really roll out the app so much as drop it on the doorstep.
On Monday, I fielded calls all day from chairs trying to download the app and getting blocked, he writes, in a first-person piece titled My chaotic, infuriating night running an Iowa caucus. Simonson says he tried signing in himself, only to be told his PIN wasnt valid. In our county, only two of the 22 caucus leaders were able to use the app successfully, he adds.
The result of this mess is that the reporting hotline began backing up as the DNC tried to revert to over-the-phone tallying and precinct leaders resorted to counting up votes by hand. As it stands now, votes are still not in, and the results of the Iowa caucus remain in a state of flux.
In a statement released Tuesday morning, Shadow confirmed it had made the app, and said it regrets the delay in the reporting of the results of last nights Iowa caucuses and the uncertainty it has caused to the candidates, their campaigns, and Democratic caucus-goers.
Importantly, this issue did not affect the underlying caucus results data. We worked as quickly as possible overnight to resolve this issue, and the IDP has worked diligently to verify results.
Shadow, Inc. (@ShadowIncHQ) February 4, 2020
We will apply the lessons learned in the future, and have already corrected the underlying technology issue. We take these issues very seriously, and are committed to improving and evolving to support the Democratic Partys goal of modernizing its election processes.
Shadow, Inc. (@ShadowIncHQ) February 4, 2020
Update February 4th, 3:56PM ET: Clarified that TestFairy maintains an iOS testing platform as well as an Android one, but it has not yet been verified whether Shadow Inc. used TestFairy to deploy an iOS version of the app or another testing platform. The headline has been updated to reflect this fact.