RSA Conference App Leaks Personal Data
If you were attending the RSA Conference this week and installed the official conference app on your smartphone, you are on a list.
In a blog, IOActive researcher Gunter Ollmann noted that "in the run up to the RSA USA 2014 conference, a new mobile application was conceived and thrust upon the Apple and Google app stores and electronically marketed to the world at large." He thinks the "last minute" nature of the app may have been its demise.
He noted that the pitch on Google Play is straightforward: "With the RSA Conference Mobile App, you can stay connected with all Conference activities, view the event catalog, manage session schedules and engage with colleagues and peers while onsite using our social and professional networking tools. You'll have access to dynamic agenda updates, venue maps, exhibitor listing and more!"
However, research done at IOActive revealed that app was subject to Man-In-The-Middle attacks in that someone could see what sessions ou were interested in. Since this is not that valuable, Ollmann points to a second vulnerability: "The RSA Conference 2014 application downloads a SQLite DB file that is used to populate the visual portions of the app (such as schedules and speaker information) but, for some bizarre reason, it also contains information of every registered user of the application–including their name, surname, title, employer, and nationality."
RSA didn't develop the app themselves, a company called QuickMobile did. Their clients include some major corporations, so this wasn't a small developer shop making first time mistakes, he said.
Ollmann concludes: "Here's a little bit of advice to any corporate marketing team. If you're going to release your own mobile application, the security and integrity of that application are your responsibility. While you can't outsource that, you can get another organization to assess the application on your behalf."