RSA App Exposes User Data Due to Common Developer Mistake
Late last week security researchers found the RSA security conference exposing conference attendee data via vulnerabilities in its mobile app.
Because a 3rd party developer had hard coded data – including security keys and passwords – in the RSA Conference application, a researcher was able to use an API to download and decrypt data containing information on RSA Conference 2018 attendees from the Android version of the app. Since the iOS version of the app relied on the same API, users who downloaded the app from either the Google Play or Apple App Store would also have had their data exposed.
Screen shots below show the developer instructions for exploiting the developer error and the ability to access iOS data as well.
API: https://rsa1-webservice.eventbase.com/v1/attendee-list/get-updates/?pid=rsa2018&token=
iOS app snippet
Mobile app data leakage is likely the most pervasive security issue plaguing Google Play and Apple App Store users with 100’s of millions of downloaders affected. In fact, this type of data exposure via mobile apps is nothing new, even for RSA.
According to Ars Technica and the researchers at IOActive, half a dozen security issues were found on the RSA Conference 2014 Android app. These included MiTM vulnerabilities and a SQL DB file that, in addition to housing app assets like the schedule, also contained conference registrant information.
Appthority has found thousands of apps from the app stores that have hard coded credentials, exposing user data via APIs similar to this and worse. We highlighted a similar issue in our research into the 2015 Mobile World Congress app. More recently, we’ve exposed massive data leaks in our finds around the Eavesdropper and HospitalGown vulnerabilities.
In the case of the RSA Conference app, the researcher was able to effectively shame RSA into resolving the issue via a Twitter DM. In most disclosure cases the outcome is not as quick. The app stores have privacy policies that telegraph the amount of effort that they expect from developers around security which can be summed up as “be secure” (see Android’s privacy policy example below).
There are no security resolution requirements for developers or the app sponsors, no required security contacts for app authors, and both Apple and Google leave known vulnerable apps in the store.
With limited developer and app store support, this shifts the burden of detection and protection entirely to the end user. For consumers, there do not appear to be any security apps that focus on these types of vulnerabilities. For enterprises, there are mobile security solutions, such as Appthority Mobile Threat Protection, with detection and workflows to mitigate these issues.
We believe this issue will only get worse until stores adopt and enforce policies that require security contacts, resolution time frames, and other methods to enable quick resolution. Let’s hope that, in addition to the app stores assisting more in this area, RSA itself will start to take the lead in improving mobile app security.
*** This is a Security Bloggers Network syndicated blog from Mobile Threat Blog Posts | Appthority authored by Michael Bentley. Read the original post at: https://www.appthority.com/mobile-threat-center/blog/rsa-app-exposes-user-data-due-to-common-developer-mistake/