Iowa election voting app snafu: a lack of testing?

An inadequately tested mobile app may have contributed to the confusion surrounding last night’s Iowa Democratic Party Caucus, something experts said underlined the importance of developers testing apps before they are deployed.

The New York Times is reporting that the app, commissioned by the Iowa Democratic Party, was created in the past two months to tabulate the caucus results.

Yesterday’s caucus ran into unprecedented issues, with results not yet reported as of Tuesday afternoon. The party, per the Times, has denied that the app’s failure caused the reporting delays.

David Krebs, executive vice president of enterprise mobility at VDC Research, said early media reports cited multiple problems with the app’s rollout: coding issues may have resulted in only partial reporting of the data, but it could also have been that users downloaded the app at the time of the caucuses rather than before and may have run into difficulty.

Taken together, he said, the issues suggested there were problems with the rollout and training needed when introducing new digital tools.

A 2019 VDC survey of 772 software developers and engineers found that only 13.1% use dynamic application security testing tools, automated tools used to detect weaknesses and security vulnerabilities for web apps while the program is running. Only 17.8% of survey respondents reported using dynamic software testing tools, automated tools that test the code of an application while it’s running, for a recent project.

“As one might expect, developers using test tools report finding more defects than those who may not,” he said.

Krebs added that engineers might use manual testing or in-house tools instead of those automated options.

Although it’s possible mobile app testing could have improved the app used in Iowa, Krebs noted, it’s hard to be certain without more specifics.

“It is worth mentioning, however, that even if this had been addressed [and] fixed, it appears that issues would still have arisen due to poor planning and training of those entrusted with using the apps,” he said.

Dion Hinchcliffe, vice president and principal analyst at Constellation Research, called the situation “one of the most dramatic tech failures ever” on Twitter.

“The vote tabulation app was never apparently used in a real-world election before, nor was it tested on a statewide scale,” he said via email.

The brief timeframe given to develop the mobile app meant there was little time to do acceptance testing, a process of using the app enough to know it performed as intended, according to Hinchcliffe.

“While little is known about the app creator, a firm known as Shadow, it seems that ‘security through obscurity’ — meaning a process of keeping a system safe by exposing it as little as possible to the real world — was a central part of the approach used here to keep the app safe,” he said. “[That] likely prevented enough formal scrutiny to ensure it worked correctly.”

Hinchcliffe said he had experience with app testing himself, as he had conducted formal system testing verification as a system architect at the Missile Defense Agency.

“Sadly, as those familiar with testing application systems know, only a regime of continuous testing can ensure a system works as designed and stays working that way as it is modified over time,” he said.