Image

"Using this password an attacker could gain access to the app’s developer mode, root the device, pull any data off of it, or install malware to steal even more data." “If you develop an app, it's usually a best practice to not leave a hardcoded password in your code. Just because an app is being used for one of the world's largest cyber security conferences doesn't automatically mean it's more secure."Blaich is making a fair point. The RSA Conference is one of the biggest security events of the year, but it's no guarantee that its app - probably made by a third-party - is going to have security at its heart. And although at first glance you may imagine that the risks of such a flaw are fairly limited - just remember that these are devices which have been collecting information about visitors to a computer security conference all day long. In the chaotic environment of a trade show it's easy to imagine how an unauthorised party might temporarily grab a badge-scanning smartphone provided by the organisers and install malware on it which could forward them details of delegates. It would certainly make for a more comfortable week if you could relax in the knowledge that your competitor on another booth was collecting data from potential customers on your behalf. Of course there is a serious message for all businesses here. If you are building an app, or having an app built for you by a third-party, just how seriously are you taking security? Do you feel confident that the developers have embraced the concept of privacy and security, and are doing everything in their power to make you an app that is watertight? You can follow the latest goings-on from the RSA Conference, by checking out some of the highlights so far. And if you're at the conference please do drop by and say "Hi" to the folks at Tripwire, on their booth at North Expo #N3301. They will be pleased to see you, and just smile when they swipe your badge. :) Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.