Menu
RSA Conference mobile app has vulnerabilities, researchers say

RSA Conference mobile app has vulnerabilities, researchers say

The app exposes information about attendees in a SQLite database file, according to IOActive

A mobile application designed to make it easier for RSA Conference 2014 attendees to navigate the event and interact with their peers exposes personal information, according to researchers from security firm IOActive.

The IOActive researchers who looked at the app identified a half-dozen security issues, including one that allowed man-in-the-middle attackers to potentially inject rogue code into the app's login screen to steal credentials, said Gunter Ollmann, chief technology officer at IOActive, in a blog post.

Since the RSA Conference app is only used by several thousand people and the log-in credentials don't provide access to high-value information like financial data, it's unlikely hackers would go to the trouble of attempting to exploit the man-in-the-middle flaw. However, there's a second issue that exposes attendee data and is easier to exploit, according to Ollmann.

"The RSA Conference 2014 application downloads a SQLite DB [database] file that is used to populate the visual portions of the app (such as schedules and speaker information) but, for some bizarre reason, it also contains information of every registered user of the application -- including their name, surname, title, employer, and nationality," Ollmann said.

"I have no idea why the app developers chose to do that, but I'm pretty sure that the folks who downloaded and installed the application are unlikely to have thought that their details were being made public and published in this way," Ollmann said. "Marketers love this kind of information though!"

The RSA Conference app appears to have been developed by a third-party company called QuickMobile that also created apps for many other events and conferences.

It's not clear if any of those other apps have similar vulnerabilities and data security issues, but Ollmann believes there's a trend of creating mobile apps for marketing purposes and outsourcing their development to third parties with little consideration for security.

"Many corporate marketing teams I've dealt with have not only drunk the 'There's an app for that' Kool-Aid, they appear to bath in the stuff each night," Ollmann said. "As such, a turnkey approach to app production is destined to involve many sacrifices and, at the top of the sacrificial pillar, data security and integrity continue to reign supreme."

The fact that limited-purpose apps like the RSA Conference one have vulnerabilities is not very surprising considering that serious security issues have been found in the past in apps dealing with much more sensitive data. Researchers from IOActive recently found vulnerabilities in many mobile banking apps from financial institutions around the world.

"Security flaws in mobile applications (particularly these rapidly developed and targeted apps) are endemic, and I think the RSA example helps prove the point that there are often inherent risks in even the most benign applications," Ollmann said.

The RSA Conference organizers did not immediately respond to a request for comment.

If a corporate marketing team decides to release a mobile application, the app's security and integrity is their responsibility, Ollmann said. "While you can't outsource that, you can get another organization to assess the application on your behalf."


Follow Us

Join the New Zealand Reseller News newsletter!

Error: Please check your email address.

Tags securitymobile securitydata breachExploits / vulnerabilitiesdata protectionprivacyIOActive

Featured

Slideshows

Consegna comes to town with AWS cloud offerings launch in Auckland

Consegna comes to town with AWS cloud offerings launch in Auckland

Emerging start-up Consegna has officially launched its cloud offerings in the New Zealand market, through a kick-off event held at Seafarers Building in Auckland.​ Founded in June 2016, the Auckland-based business is backed by AWS and supported by a global team of cloud specialists, leveraging global managed services partnerships with Rackspace locally.

Consegna comes to town with AWS cloud offerings launch in Auckland
Veritas honours top performing trans-Tasman partners

Veritas honours top performing trans-Tasman partners

Veritas honoured its top performing partners across the channel in Australia and New Zealand, recognising innovation and excellence on both sides of the Tasman. Revealed under the Vivid lights in Sydney, Intalock claimed the coveted Partner of the Year 2017 (Pacific) award, with Data#3 acknowledged for 12 months of strong growth across the market. Meanwhile, Datacom took home the New Zealand honours, with Global Storage and Insentra winning service provider and consulting awards respectively. Dicker Data was recognised as the standout distributor of the year, while Hitachi Data Systems claimed the alliance partner award. Photos by Bob Seary.

Veritas honours top performing trans-Tasman partners
An Evening With Eugene Kaspersky for Kiwi partners in Auckland

An Evening With Eugene Kaspersky for Kiwi partners in Auckland

​New Zealand partners came together for An Evening With Eugene Kaspersky in Auckland, an invitation only event as part of Kaspersky Lab Partner Engage. Following an evening of insights and executive networking with the founder of Kaspersky Lab, Eugene Kaspersky, Kiwi partners got up close and personal with Eugene in an unprecedented​ panel discussion. Facilitated by Reseller News, this panel explored channel relationships, successful business strategies, and the latest ground breaking technologies to impact the security market. Photos by Maria Stefina.

An Evening With Eugene Kaspersky for Kiwi partners in Auckland
Show Comments