Follow Us

We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message

RSA Conference mobile app has vulnerabilities, researchers say

The app exposes information about attendees in a SQLite database file, according to IOActive

Article comments

A mobile application designed to make it easier for RSA Conference 2014 attendees to navigate the event and interact with their peers exposes personal information, according to researchers from security firm IOActive.

The IOActive researchers who looked at the app identified a half-dozen security issues, including one that allowed man-in-the-middle attackers to potentially inject rogue code into the app's login screen to steal credentials, said Gunter Ollmann, chief technology officer at IOActive, in a blog post.

Since the RSA Conference app is only used by several thousand people and the log-in credentials don't provide access to high-value information like financial data, it's unlikely hackers would go to the trouble of attempting to exploit the man-in-the-middle flaw. However, there's a second issue that exposes attendee data and is easier to exploit, according to Ollmann.

"The RSA Conference 2014 application downloads a SQLite DB [database] file that is used to populate the visual portions of the app (such as schedules and speaker information) but, for some bizarre reason, it also contains information of every registered user of the application -- including their name, surname, title, employer, and nationality," Ollmann said.

"I have no idea why the app developers chose to do that, but I'm pretty sure that the folks who downloaded and installed the application are unlikely to have thought that their details were being made public and published in this way," Ollmann said. "Marketers love this kind of information though!"

The RSA Conference app appears to have been developed by a third-party company called QuickMobile that also created apps for many other events and conferences.

It's not clear if any of those other apps have similar vulnerabilities and data security issues, but Ollmann believes there's a trend of creating mobile apps for marketing purposes and outsourcing their development to third parties with little consideration for security.

"Many corporate marketing teams I've dealt with have not only drunk the 'There's an app for that' Kool-Aid, they appear to bath in the stuff each night," Ollmann said. "As such, a turnkey approach to app production is destined to involve many sacrifices and, at the top of the sacrificial pillar, data security and integrity continue to reign supreme."

The fact that limited-purpose apps like the RSA Conference one have vulnerabilities is not very surprising considering that serious security issues have been found in the past in apps dealing with much more sensitive data. Researchers from IOActive recently found vulnerabilities in many mobile banking apps from financial institutions around the world.

"Security flaws in mobile applications (particularly these rapidly developed and targeted apps) are endemic, and I think the RSA example helps prove the point that there are often inherent risks in even the most benign applications," Ollmann said.

The RSA Conference organizers did not immediately respond to a request for comment.

If a corporate marketing team decides to release a mobile application, the app's security and integrity is their responsibility, Ollmann said. "While you can't outsource that, you can get another organization to assess the application on your behalf."



Share:

More from Techworld

More relevant IT news

Comments



Send to a friend

Email this article to a friend or colleague:

PLEASE NOTE: Your name is used only to let the recipient know who sent the story, and in case of transmission error. Both your name and the recipient's name and address will not be used for any other purpose.

Techworld White Papers

Choose – and Choose Wisely – the Right MSP for Your SMB

End users need a technology partner that provides transparency, enables productivity, delivers...

Download Whitepaper

10 Effective Habits of Indispensable IT Departments

It’s no secret that responsibilities are growing while budgets continue to shrink. Download this...

Download Whitepaper

Gartner Magic Quadrant for Enterprise Information Archiving

Enterprise information archiving is contributing to organisational needs for e-discovery and...

Download Whitepaper

Advancing the state of virtualised backups

Dell Software’s vRanger is a veteran of the virtualisation specific backup market. It was the...

Download Whitepaper

Techworld UK - Technology - Business

Innovation, productivity, agility and profit

Watch this on demand webinar which explores IT innovation, managed print services and business agility.

Techworld Mobile Site

Access Techworld's content on the move

Get the latest news, product reviews and downloads on your mobile device with Techworld's mobile site.

Find out more...

From Wow to How : Making mobile and cloud work for you

On demand Biztech Briefing - Learn how to effectively deliver mobile work styles and cloud services together.

Watch now...

Site Map

* *