The Qardio Arm iOS application exposes sensitive data such as usernames
and passwords in a plist file. This allows an attacker to log in to
production-level development accounts and access an engineering backdoor
in the application. The engineering backdoor allows the attacker to
send hex-based commands over a UI-based terminal.
Credits
Bryan Riggins of Insulet Corporation reported these vulnerabilities to CISA.
