If RSA Can't Protect its Apps, How Can Your Organization?

The 2017 RSA Conference has as its slogan “Where the world talks security” and describes its mission as “to connect you with the people and insights that will empower you to stay ahead of cyber threats”.

This all sounds very reassuring, especially as RSA Security LLC, the company organizing the yearly conference, is also a renowned computer and network security company.

However, like the old story of the cobbler, who only made shoes for customers while his own children had to go barefoot, the RSA Conference has run into problems in the recent past with its own security. At last year’s conference in 2016, the mobile badge scanning app provided by the conference organizers to vendors for scanning visitor badges had a critical vulnerability. It contained a hardcoded default password, visible in plain text in the mobile app code.

Security experts found they could use the password to access the settings of the app, and from there access the settings of the mobile device and take control of it. While giving the app’s creators the benefit of the doubt about being guilty of poor development practice, rather than malicious intent, the experts noted that an attacker could remove all the data from the device, or even install malware to continue stealing data afterwards.

What is the risk that the mobile app available to participants in the 2017 RSA Conference will also have vulnerabilities? There are two factors to consider. First, when the creation of an app is entrusted to a third party, the conference organizers weaken their control of security in their own app. Second, the mishap in 2016 was also preceded in 2014 by unfortunate security flaws in another RSA Conference mobile app.

In the 2014 case, one of the mobile app security flaws exposed the name, surname, title, employer, and nationality of every registered user of the application. The application downloaded an SQLite DB file with information on schedules and speakers, but the file – for an apparently unknown reason – also contained information on all the registered app users.

If the RSA Conference can make such mobile app security errors twice in the space of two years, will anyone else get it right? To compound the problem, the enthusiasm of many organizing committees and marketing departments about having an app made for their event is inversely proportional to the amount of time they spend thinking about security.

Granted, one could argue that the RSA Conference app is used by a few thousand people at most and that the information exposed is not as sensitive as personal or enterprise financial data, for example. In other words, attackers would be less likely to exploit the flaws in the app. However, in terms of self-inflicted reputational damage, the 2014 and 2016 RSA Conference apps have been quite effective.

Perhaps the most regrettable aspect is that for events like the RSA Conference, mobile apps can be rapidly and reliably assessed for possible security defects, whether or not the source code is available from the third-party app creator. AppInterrogator, for instance, could give a conclusive result back within minutes, even if the application is written by a third party and source code access is not available.

Mi3 Security's RECON Platform enables organizations to fully understand their mobile app threat posture before ever releasing an application. With seamless integration into Enterprise SDLC workflows it's now possible to provide QA, developers and Risk Officers with actionable risk intelligence, ensuring downstream risk is mitigated prior to launch.

If the cobbler’s children had nothing to protect their feet, they could at least stay out of sight. But if the RSA Conference and other events do not take basic precautions in having their outsourced apps checked by another independent entity, the problems will be there for everyone to see.