Categories: SecurityWorkspace

RSA 2014: RSA Conference App Leaks Data On Thousands Of Users

Researchers have uncovered some worrying holes in the RSA 2014 Conference app for iOS and Android, leaking data of the thousands of users running the software on their phones.

The app, ironically one designed to help people around this week’s security event, contains a weakness leaving it open to man-in-the-middle attacks, where an attacker could inject code into the login sequence to steal credentials.

It also downloads an SQLite database file used to populate visualisations, such as schedules and speaker information, but that file also contained information of every registered user of the software, ncluding name, surname, title, employer and nationality, security consultancy IOActive said in a blog post.

Irony alert for RSA

“I have no idea why the app developers chose to do that, but I’m pretty sure that the folks who downloaded and installed the application are unlikely to have thought that their details we being made public and published in this way. Marketers love this kind of information though,” Gunter Ollmann, chief technology officer for IOActive.

“Some readers may think I’m targeting RSA, and in a small way I guess I am. Security flaws in mobile applications (particularly these rapidly developed and targeted apps) are endemic, and I think the RSA example helps prove the point that there are often inherent risks in even the most benign applications.

“I’m betting that RSA didn’t even create the application themselves. The Google Play store indicates that a company called QuickMobile was the developer.”

It appears QuickMobile, whch focuses on apps for conferences and events, has created a number of aps for well known brands, including Adobe and McDonald’s. Its website says Microsoft, Dell and Disney are customers too.

Neither RSA nor QuickMobile had responded to a request for comment at the time of publication.

Ollmann had one piece of advice for users: don’t download the RSA Conference app. “Readers of this blog may want to refrain from downloading the RSA Conference 2014 (and related) mobile applications – unless you’re a hacker or marketing team that wants to acquire a free list of conference attendees names, positions and employers.”

He told TechWeekEurope RSA had been notified. “We’ve advised them and EMC [RSA’s parent company] of the vulnerabilities and we’ll let them decide on how to resolve the issues (if they feel they need fixing – which I hope they do fix).”

Are you a security expert? Try our quiz!

Thomas Brewster

Tom Brewster is TechWeek Europe's Security Correspondent. He has also been named BT Information Security Journalist of the Year in 2012 and 2013.

Recent Posts

Craig Wright Sentenced For Contempt Of Court

Suspended prison sentence for Craig Wright for “flagrant breach” of court order, after his false…

2 days ago

El Salvador To Sell Or Discontinue Bitcoin Wallet, After IMF Deal

Cash-strapped south American country agrees to sell or discontinue its national Bitcoin wallet after signing…

2 days ago

UK’s ICO Labels Google ‘Irresponsible’ For Tracking Change

Google's change will allow advertisers to track customers' digital “fingerprints”, but UK data protection watchdog…

2 days ago

EU Publishes iOS Interoperability Plans

European Commission publishes preliminary instructions to Apple on how to open up iOS to rivals,…

3 days ago

Momeni Convicted In Bob Lee Murder

San Francisco jury finds Nima Momeni guilty of second-degree murder of Cash App founder Bob…

3 days ago