RSA Conference mobile app has vulnerabilities, researchers say

The app exposes information about attendees in a SQLite database file, according to IOActive

A mobile application designed to make it easier for RSA Conference 2014 attendees to navigate the event and interact with their peers exposes personal information, according to researchers from security firm IOActive.

The IOActive researchers who looked at the app identified a half-dozen security issues, including one that allowed man-in-the-middle attackers to potentially inject rogue code into the app's login screen to steal credentials, said Gunter Ollmann, chief technology officer at IOActive, in a blog post.

Since the RSA Conference app is only used by several thousand people and the log-in credentials don't provide access to high-value information like financial data, it's unlikely hackers would go to the trouble of attempting to exploit the man-in-the-middle flaw. However, there's a second issue that exposes attendee data and is easier to exploit, according to Ollmann.

"The RSA Conference 2014 application downloads a SQLite DB [database] file that is used to populate the visual portions of the app (such as schedules and speaker information) but, for some bizarre reason, it also contains information of every registered user of the application -- including their name, surname, title, employer, and nationality," Ollmann said.

"I have no idea why the app developers chose to do that, but I'm pretty sure that the folks who downloaded and installed the application are unlikely to have thought that their details were being made public and published in this way," Ollmann said. "Marketers love this kind of information though!"

The RSA Conference app appears to have been developed by a third-party company called QuickMobile that also created apps for many other events and conferences.

It's not clear if any of those other apps have similar vulnerabilities and data security issues, but Ollmann believes there's a trend of creating mobile apps for marketing purposes and outsourcing their development to third parties with little consideration for security.

"Many corporate marketing teams I've dealt with have not only drunk the 'There's an app for that' Kool-Aid, they appear to bath in the stuff each night," Ollmann said. "As such, a turnkey approach to app production is destined to involve many sacrifices and, at the top of the sacrificial pillar, data security and integrity continue to reign supreme."

The fact that limited-purpose apps like the RSA Conference one have vulnerabilities is not very surprising considering that serious security issues have been found in the past in apps dealing with much more sensitive data. Researchers from IOActive recently found vulnerabilities in many mobile banking apps from financial institutions around the world.

"Security flaws in mobile applications (particularly these rapidly developed and targeted apps) are endemic, and I think the RSA example helps prove the point that there are often inherent risks in even the most benign applications," Ollmann said.

The RSA Conference organizers did not immediately respond to a request for comment.

If a corporate marketing team decides to release a mobile application, the app's security and integrity is their responsibility, Ollmann said. "While you can't outsource that, you can get another organization to assess the application on your behalf."

Tags securitydata breachmobile securitydata protectionExploits / vulnerabilitiesIOActiveprivacy

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Lucian Constantin

IDG News Service

Comments

Comments are now closed.

Most Popular Reviews

Follow Us

GGG Evaluation Team

Kathy Cassidy

STYLISTIC Q702

First impression on unpacking the Q702 test unit was the solid feel and clean, minimalist styling.

Anthony Grifoni

STYLISTIC Q572

For work use, Microsoft Word and Excel programs pre-installed on the device are adequate for preparing short documents.

Steph Mundell

LIFEBOOK UH574

The Fujitsu LifeBook UH574 allowed for great mobility without being obnoxiously heavy or clunky. Its twelve hours of battery life did not disappoint.

Andrew Mitsi

STYLISTIC Q702

The screen was particularly good. It is bright and visible from most angles, however heat is an issue, particularly around the Windows button on the front, and on the back where the battery housing is located.

Simon Harriott

STYLISTIC Q702

My first impression after unboxing the Q702 is that it is a nice looking unit. Styling is somewhat minimalist but very effective. The tablet part, once detached, has a nice weight, and no buttons or switches are located in awkward or intrusive positions.

Latest News Articles

Resources

Best Deals on GoodGearGuide

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?