Even though the event company that was behind the development of the app claims on their website that the app was vetted by a well known security vendor, unfortunately several privacy concerns were discovered. Appthority’s automated analysis framework flagged some serious hidden risks in the official Mobile World Congress app. We routinely find such risks in popular apps used by employees in the workplace–unbeknownst to IT and security administrators.
Our analysis engines detected that an excessive amount of data was leaked through API calls from MWC servers which included the entire list of vendors, and conference attendees, with their email andcontact information (considered PII by many), stored in plain text in a sqllite database within the resource folder–before authentication took place! This effectively left the entire list of attendees open to any bad guys scraping for contact information without having to attend the MWC in Barcelona.
For those interested, here are some technical details:
- The MWC app was using hard-coded authentication credentials to obtain a wealth of conference information over the network, including the names of all attendees with their full address, full names, company and job title, linkedin id’s, biography photo, twitter name, list of skills, and date they signed up.
- We were able to verify over 25k records of attendees.
- Attendee or Visitor ID’s are deterministic and sequential
- The same hard-coded credentials were able to pull similar PII information for all speakers and exhibitors.
The app also contains additional SDKs to carry out other functionalities, some of which have resulted in multiple complaints on the Google Play page for the app.:Multiple users have cried foul over the ability of the app to persistently turn on Bluetooth and keep it running. Based on our analysis, it appears the Bluetooth functionality is being used to track visitor whereabouts while at the MWC event.
In many ways it’s ironic that at the premier event for mobile, where security is one of the key issues that is being addressed ,that the conference attendees themselves were victims of mobile security and privacy concerns.