Acknowledged
3 months ago

CIQ store app (iOS) falsely shows settings from *wrong app*, when two apps are installed with similar settings definitions

Connect IQ Store app version 2.30.1 (iOS)

I have a data field app that has 4 "clones" in the store. They're all basically identical except for their app UUID, app name, and certain default settings.

AppBuilder 5: https://apps.garmin.com/apps/fd690281-9c22-4fee-a81e-3b7f39aa67c5

AppBuilder 5 (B): https://apps.garmin.com/apps/706e91ae-7b84-4ac3-b0a7-dc2bcceb6fc2

AppBuilder 5 (C): https://apps.garmin.com/apps/f5259a68-1509-4ee9-9a05-46dc1d939f3f

AppBuilder 5 (D): https://apps.garmin.com/apps/394b4149-6d5a-4c2c-836d-dca71ea10b98

I had AppBuilder 5 installed on my 955, but none of the other clones were installed, and I had made extensive changes to the settings of AppBuilder 5. Subsequently, I installed AppBuilder 5 (B). When I opened AppBuilder 5 (B)'s settings in the CIQ app, it showed me settings values for AppBuilder 5, instead of 5 (B)'s defaults!

But when I added AppBuilder 5 (B) to an activity, it was clearly using its default settings values (one of the settings controls the data field label.)

Reproduction Procedure:

- If any of the AppBuilder 5 data fields are installed on your device, uninstall them

- Install AppBuilder 5 and open its settings in the CIQ store app (iOS)

- Note that the default value for "Profile 1 - Label" is "AppBuilder".  (The default values for the other apps are "AppBuilderB", "AppBuilderC", and "AppBuilderD")

- Change "Profile 1 - Label" to "Custom Label" and save settings

- Add AppBuilder 5 to an activity and note that the displayed label is "Custom Label"

- Install AppBuilder 5 (B). (Do not modify its settings or launch the app on the watch)

- Install an unrelated app, such as HM's DIY #1

- Open HM's DIY #1's settings. Exit without saving

- Open AppBuilder 5 (B)'s settings: note that the value for "Profile 1 - Label" is correctly displayed as "AppBuilderB". Exit settings without saving

- Open AppBuilder 5's settings. Exit without saving

- Open AppBuilder 5 (B)'s settings: note that the value for "Profile 1 - Label" incorrectly appears to be "Custom Label". Exit settings without saving

- Add AppBuilder 5 (B) to an activity and note that the displayed label is "AppBuilderB"

- Open AppBuilder 5's settings. Exit without saving

- Open AppBuilder 5 (B)'s settings. Note that the value for "Profile 1 - Label" is now correctly displayed as "AppBuilderB"

The same problem can be demonstrated with any of the 4 clones.

EDIT: as mentioned in a comment below, I think this is a potential security issue.

EDIT2: Simplified recreation procedure:

- install an app (B) with settings but do not modify settings or launch the app on the device. (App B's settings are uninitialized.)

- install a related clone app (A) with similar settings to B. Modify settings so that they're recognizable

- Install an unrelated app (C) with dissimilar settings to B

- Open C's settings, then open B's settings. B's settings will show B's default values as expected. (Do not save B's settings at this point)

- Open A's settings, then open B's settings: you will see A's settings instead of B's default values

FlowState
  • 3 months ago

    I think the simplest possible explanation for this behavior is that in the Connect IQ store, there's temporary *global* storage for app properties that's not always cleared between opening one app's settings and another app's settings.

    e.g. If App A has a setting/property with key "foo", and its value is 42 for "App A", then when I open App A's settings, maybe there's a global cache which assigns a value of 42 to the key "foo".

    Now when I open newly installed App B, if it also has a setting/property defined with key "foo", but the app's settings values are still uninitialized (bc it’s a new install), instead of using the default value defined for App B's "foo" property" the store incorrectly grabs the cached value of "foo".

    Again, this could be a security issue if in fact this is how it works.

    This could be further investigated by creating two test apps which only have a subset of settings/property keys in common, and seeing if the bug recurs for the common subset. Again, this would point to a possible attack where a bad actor could try to guess the names of property keys of interest that may exist in other apps.

  • 3 months ago

    I can make a video which shows that different settings are shown for the new app depending on which app's settings were open immediately prior to opening the new app's settings. I'm not going to show the process of installing the app though (you'll have to take my word for it that I just installed the app and didn't save any settings or launch it on the watch.)

    Hopefully this will be enough anecdotal evidence for most ppl.

    In this video:

    - AppBuilder 5 = existing app with modified settings ("Profile 1 - Label" = "DISTINCTIVE SETTINGS FOR EXISTING APP")

    - AppBuilder 5 (B) = newly installed app ("Profile 1 - Label" default value should be "AppBuilderB")

    - HMs DIY #1 = completely unrelated app (but still has settings)

    The video shows:

    - Opening settings for HMs DIY #1

    - Opening settings for AppBuilder 5 (B) (newly installed) - default settings are visible as expected. (Closing settings without saving)

    - Opening settings for AppBuilder 5 (previously installed, settings changed)

    - Opening settings for AppBuilder 5 (B) - settings for AppBuilder 5 are incorrectly shown

  • 3 months ago

    I'm kinda reluctant to make a video bc:

    - anyone should be able to recreate this bug given the information I've posted

    - even the process of installing apps via the Connect IQ store is such a huge pain. Sometimes instead of installing right away, an app will go into the "install queue" until the CIQ gods decide it's finally time to install the app (yes, I tried syncing and that doesn't seem to do anything). So even the process of making a short, yet comprehensive, video is not as simple as it sounds (like a lot of CIQ things)

  • 3 months ago

    "I've installed a new app and seen settings for a completely unrelated app."

    Sorry, I meant to say "I've never installed a new app and seen settings for a completely unrelated app."

  • 3 months ago

    I can confirm that this happens with the latest version of the Connect IQ store app (iOS): 2.30.2

    I can also provide additional insight into the recreation procedure.

    This bug happens when I first open the settings for the previously installed app ("AppBuilder 5"), then open the settings for the newly installed app ("AppBuilder 5 (B)") which is a clone of the first one. When I do this, I see the wrong settings. This only happens when the 2nd clone is still in the freshly installed state, meaning it has no settings of its own (in which case, the default settings would normally be shown).

    If I first open the settings for an unrelated app first (like HMs DIY #1), then open the settings for the newly installed app, then the default settings for the new app are shown (as expected.)

    Furthermore, if I save the settings for the newly installed app at any point (whether I use the "bad" settings from the other app as a base, or the correct default settings as a base), then this bug no longer occurs.

    TL;DR to see this bug:

    - it's necessary for the newly installed app to have no settings saved (easiest way to guarantee this is to uninstall and reinstall it)

    - it's necessary to first open the settings of an previously installed "clone" of the new app, then to subsequently open the settings of the newly installed app