A mobile application designed to make it easier for RSA Conference 2014 attendees to navigate the event and interact with their peers exposes personal information, according to researchers from security firm IOActive.
The IOActive researchers who looked at the app identified a half-dozen security issues, including one that allowed man-in-the-middle attackers to potentially inject rogue code into the app’s login screen to steal credentials, said Gunter Ollmann, chief technology officer at IOActive, in a blog post.
Since the RSA Conference app is only used by several thousand people and the log-in credentials don’t provide access to high-value information like financial data, it’s unlikely hackers would go to the trouble of attempting to exploit the man-in-the-middle flaw. However, there’s a second issue that exposes attendee data and is easier to exploit, according to Ollmann.
“The RSA Conference 2014 application downloads a SQLite DB [database] file that is used to populate the visual portions of the app (such as schedules and speaker information) but, for some bizarre reason, it also contains information of every registered user of the application—including their name, surname, title, employer, and nationality,” Ollmann said.
“I have no idea why the app developers chose to do that, but I’m pretty sure that the folks who downloaded and installed the application are unlikely to have thought that their details were being made public and published in this way,” Ollmann said. “Marketers love this kind of information though!”
Third party to blame
The RSA Conference app appears to have been developed by a third-party company called QuickMobile that also created apps for many other events and conferences.
It’s not clear if any of those other apps have similar vulnerabilities and data security issues, but Ollmann believes there’s a trend of creating mobile apps for marketing purposes and outsourcing their development to third parties with little consideration for security.
“Many corporate marketing teams I’ve dealt with have not only drunk the ‘There’s an app for that’ Kool-Aid, they appear to bath in the stuff each night,” Ollmann said. “As such, a turnkey approach to app production is destined to involve many sacrifices and, at the top of the sacrificial pillar, data security and integrity continue to reign supreme.”
The fact that limited-purpose apps like the RSA Conference one have vulnerabilities is not very surprising considering that serious security issues have been found in the past in apps dealing with much more sensitive data. Researchers from IOActive recently found vulnerabilities in many mobile banking apps from financial institutions around the world.
“Security flaws in mobile applications (particularly these rapidly developed and targeted apps) are endemic, and I think the RSA example helps prove the point that there are often inherent risks in even the most benign applications,” Ollmann said.
The RSA Conference organizers did not immediately respond to a request for comment.
If a corporate marketing team decides to release a mobile application, the app’s security and integrity is their responsibility, Ollmann said. “While you can’t outsource that, you can get another organization to assess the application on your behalf.”