Security audit of shift scheduling and workforce management apps finds flaws that expose Plaid banking tokens, allow fake messages under the employer’s brand, and let attackers silently delete shift notifications.

Oversecured, a mobile application security company, has identified security vulnerabilities in several widely used shift scheduling and workforce management apps on Google Play. The affected apps serve restaurants, retail chains, healthcare facilities, and logistics companies. The most severe flaw could allow a malicious application to steal Plaid banking tokens — the credentials that connect workers’ bank accounts for direct deposit.

The affected apps include:

• A scheduling platform used by small businesses, with Plaid-based payroll integration
• An all-in-one workforce management platform used across retail and field operations
• Three separate scheduling apps that share the same notification-suppression flaw

For hourly employees, these apps are not optional. They are the primary channel for shift assignments, clock-ins, manager communications, and pay.

A scheduling app leaks banking tokens

A scheduling platform’s Plaid enrollment activity takes the incoming intent, appends Plaid response data, and returns it to whoever started the activity — without verifying the caller. A malicious app can launch this flow and receive the banking token in return. The same app also lets any other app force it to make arbitrary outbound HTTP requests, because its main activity passes deep-link URLs to a connection handler without host validation.

In practice: a worker who connected their bank for direct deposit could have their financial account data extracted by a malicious app running on the same phone. The attack is invisible — no pop-up, no permission request, no notification.

Fake messages under the employer’s brand

An all-in-one workforce platform has an exported BroadcastReceiver that builds and displays notifications from any sender’s data. A malicious app can push fake messages — a shift change, an HR notice, a request for credentials — that appear to come from the employee’s company. The same app loads avatar and logo URLs from incoming intents without domain validation, allowing arbitrary images inside its interface.

In practice: an attacker could send a worker a fake “your direct deposit details need updating” notification that looks identical to a real company message, leading to a phishing page.

Three apps allow silent deletion of shift notifications

Three scheduling apps share the same vulnerability: an exported BroadcastReceiver that cancels notifications without verifying the sender. Any app on the phone can silently dismiss push notifications from these workforce tools.

In practice: a suppressed shift notification could mean a missed shift, a lost day of pay, or disciplinary action. The worker would have no way to know the notification ever existed.

Other findings: a time-tracking app copies user videos to world-readable external storage. Another includes hardcoded basic authentication credentials in its code.

‘When a company deploys a scheduling app, it becomes the nervous system of daily operations. One app lets another application extract Plaid banking tokens. Another lets a third-party app send fake messages under the employer’s name,’ says Sergey Toshin, founder of Oversecured. ‘These are the tools millions of hourly workers depend on every day.’

The researchers have not disclosed specific app names or technical details as the vulnerabilities remain unpatched.

About Sergey Toshin

Sergey Toshin is the founder of Oversecured, a mobile application security company. He has discovered and helped fix over 1,000 mobile vulnerabilities. His research earned the #1 ranking on Google Play’s security researcher leaderboard, top researcher status with Samsung Mobile Security, and a top-3 position on HackerOne. He has collected over $1 million in bug bounties from major technology companies.

About Oversecured

Oversecured provides automated security scanning for Android and iOS applications. The company has identified vulnerabilities in apps from Google, Samsung, Amazon, PayPal, TikTok, Airbnb, Netflix, and other major technology companies. The scanner covers 175+ vulnerability categories for Android and 85+ for iOS with 99.8% detection accuracy. CNN, TechCrunch, and other media outlets have featured Oversecured’s research.

Ready to strengthen your mobile security? Start your free trial of Oversecured today