Crowding through the front doors of the Moscone Center, we all look like deer in the headlights. Rushing into the bright lights and recycled air of the conference’s lobby, we are desperate for some direction – where to go, when to be there, who to meet. There are lines for computers, lines for people behind desks, lines for coat check and the longest line of all just below at the coffee shop.
There are a few signs but the one that stands out doesn’t have a booth number; this one requests you download an app for the RSA conference and for all our scheduling needs. PERFECT.
Days after your download, the last thing on your mind breaks headlines and the perfect app might be the latest vulnerability for your identity. It may seem unlikely that a mobile app at a security conference had security flaws but, unfortunately, it isn’t that unusual.
With conference attendees often feeling overwhelmed, an app for the event is enticing and creating mobile apps for marketing purposes is becoming a trend.
“Security flaws in mobile applications (particularly these rapidly developed and targeted apps) are endemic, and I think the RSA example helps prove the point that there are often inherent risks in even the most benign applications” – Gunter Ollmann, CTO IOActive.
Mobile is growing at an incredible pace and the information we keep on our devices can be sensitive. Security should not be thrown on the back burner when applications are being created, even if it is for a specific and short-term use. 3rd party application creators have made great apps (including the infamous Flappy Bird) but security is overlooked multiple times: by the creators, by the advertisers, by the users. They say to surround yourself with those who make you better, but because you’re physically at a security conference doesn’t mean you’re invincible to attacks.
The good news? The only information in this SQL database is stuff like your name, surname, title, employer, and nationality – no financial information. The bad news? This information and location information (assumedly you were at the conference) says a lot about you and opens up new attack vectors.
Mobile continues to change (look at these predictions for the next two years), but we always need to think with security in mind. After all, we aren’t invincible – we always look before crossing the street and the cyber, mobile, technology networks shouldn’t be any different.