RSA 2014: RSA Conference App Leaks Data On Thousands Of Users

Fail 2 - ShutterStock: © kaarsten

Irony alert for RSA as its conference app found to leak data on users and is open to potential man-in-the-middle attacks

Researchers have uncovered some worrying holes in the RSA 2014 Conference app for iOS and Android, leaking data of the thousands of users running the software on their phones.

The app, ironically one designed to help people around this week’s security event, contains a weakness leaving it open to man-in-the-middle attacks, where an attacker could inject code into the login sequence to steal credentials.

RSA LogoIt also downloads an SQLite database file used to populate visualisations, such as schedules and speaker information, but that file also contained information of every registered user of the software, ncluding name, surname, title, employer and nationality, security consultancy IOActive said in a blog post.

Irony alert for RSA

“I have no idea why the app developers chose to do that, but I’m pretty sure that the folks who downloaded and installed the application are unlikely to have thought that their details we being made public and published in this way. Marketers love this kind of information though,” Gunter Ollmann, chief technology officer for IOActive.

“Some readers may think I’m targeting RSA, and in a small way I guess I am. Security flaws in mobile applications (particularly these rapidly developed and targeted apps) are endemic, and I think the RSA example helps prove the point that there are often inherent risks in even the most benign applications.

“I’m betting that RSA didn’t even create the application themselves. The Google Play store indicates that a company called QuickMobile was the developer.”

It appears QuickMobile, whch focuses on apps for conferences and events, has created a number of aps for well known brands, including Adobe and McDonald’s. Its website says Microsoft, Dell and Disney are customers too.

Neither RSA nor QuickMobile had responded to a request for comment at the time of publication.

Ollmann had one piece of advice for users: don’t download the RSA Conference app. “Readers of this blog may want to refrain from downloading the RSA Conference 2014 (and related) mobile applications – unless you’re a hacker or marketing team that wants to acquire a free list of conference attendees names, positions and employers.”

He told TechWeekEurope RSA had been notified. “We’ve advised them and EMC [RSA’s parent company] of the vulnerabilities and we’ll let them decide on how to resolve the issues (if they feel they need fixing – which I hope they do fix).”

Are you a security expert? Try our quiz!