Menu
RSA Conference mobile app has vulnerabilities, researchers say

RSA Conference mobile app has vulnerabilities, researchers say

The app exposes information about attendees in a SQLite database file, according to IOActive

A mobile application designed to make it easier for RSA Conference 2014 attendees to navigate the event and interact with their peers exposes personal information, according to researchers from security firm IOActive.

The IOActive researchers who looked at the app identified a half-dozen security issues, including one that allowed man-in-the-middle attackers to potentially inject rogue code into the app's login screen to steal credentials, said Gunter Ollmann, chief technology officer at IOActive, in a blog post.

Since the RSA Conference app is only used by several thousand people and the log-in credentials don't provide access to high-value information like financial data, it's unlikely hackers would go to the trouble of attempting to exploit the man-in-the-middle flaw. However, there's a second issue that exposes attendee data and is easier to exploit, according to Ollmann.

"The RSA Conference 2014 application downloads a SQLite DB [database] file that is used to populate the visual portions of the app (such as schedules and speaker information) but, for some bizarre reason, it also contains information of every registered user of the application -- including their name, surname, title, employer, and nationality," Ollmann said.

"I have no idea why the app developers chose to do that, but I'm pretty sure that the folks who downloaded and installed the application are unlikely to have thought that their details were being made public and published in this way," Ollmann said. "Marketers love this kind of information though!"

The RSA Conference app appears to have been developed by a third-party company called QuickMobile that also created apps for many other events and conferences.

It's not clear if any of those other apps have similar vulnerabilities and data security issues, but Ollmann believes there's a trend of creating mobile apps for marketing purposes and outsourcing their development to third parties with little consideration for security.

"Many corporate marketing teams I've dealt with have not only drunk the 'There's an app for that' Kool-Aid, they appear to bath in the stuff each night," Ollmann said. "As such, a turnkey approach to app production is destined to involve many sacrifices and, at the top of the sacrificial pillar, data security and integrity continue to reign supreme."

The fact that limited-purpose apps like the RSA Conference one have vulnerabilities is not very surprising considering that serious security issues have been found in the past in apps dealing with much more sensitive data. Researchers from IOActive recently found vulnerabilities in many mobile banking apps from financial institutions around the world.

"Security flaws in mobile applications (particularly these rapidly developed and targeted apps) are endemic, and I think the RSA example helps prove the point that there are often inherent risks in even the most benign applications," Ollmann said.

The RSA Conference organizers did not immediately respond to a request for comment.

If a corporate marketing team decides to release a mobile application, the app's security and integrity is their responsibility, Ollmann said. "While you can't outsource that, you can get another organization to assess the application on your behalf."

Follow Us

Join the New Zealand Reseller News newsletter!

Error: Please check your email address.

Tags securitymobile securitydata breachExploits / vulnerabilitiesdata protectionprivacyIOActive

Slideshows

Top 50 defining moments of the New Zealand channel in 2016

Top 50 defining moments of the New Zealand channel in 2016

Reseller News looks back on a tumultuous 12 months for the New Zealand channel, assessing the fallout from a year of sizeable industry change. Whether it be local or global mergers and acquisitions, distribution deals or job changes, the channel that started the year differs somewhat to the one set to finish it - Reseller News assesses the key moments that made 2016.​

Top 50 defining moments of the New Zealand channel in 2016
​Hewlett Packard Enterprise honours high achieving NZ channel

​Hewlett Packard Enterprise honours high achieving NZ channel

Hewlett Packard Enterprise honoured its top performing Kiwi partners at the second running of its HPE Partner Awards in New Zealand, held at a glitzy ceremony in Auckland. Recognising excellence across eight categories - from distributors to resellers - the tech giant celebrated its first year as a standalone company, following its official split from HP in 2015.

​Hewlett Packard Enterprise honours high achieving NZ channel
Nutanix treats channel partners to Christmas cruise

Nutanix treats channel partners to Christmas cruise

Nutanix recently took to the seas for a Christmas Cruise around Sydney Harbour with its Australia and New Zealand staff, customers and partners to celebrate a stellar year for the vendor. With the sun out, they were all smiles and mingled over drinks and food.

Nutanix treats channel partners to Christmas cruise
Show Comments