This year participants at the 2016 RSA Conference will have an ugly surprise, many vendors were provided with Samsung Galaxy S4 smartphones that run a special Android app, available on the Google Play, that allows them to keep track of visitors by scanning their badges.
The mobile scanning cannot be used for anything except scanning badges, unless the administrator unlocks it using a password. This working mode is also note as “kiosk mode.”
Security experts at Bluebox Security downloaded analyzed the scanning app and discovered that authors embedded the default password in the source code in plain text.
“When we used that passcode we were able to gain access to the kiosk app’s settings. This, in turn, let us gain access to the device’s system settings, which then enabled us to put the device into developer mode to gain full access to the device,” Bluebox Security researchers told Securityweek.com. “This is concerning because if we can do this, an attacker can too, letting them root the device, pull any data off of it, or install malware to steal even more data.”
“We speculate that the default code embedded in the app is there as a mechanism so that the device can still be managed even if the admin’s custom passcode is lost. However, it is a poor developer practice to embed passwords into an app’s shipped code, especially un-encrypted and un-obfuscated,” experts noted.
In this specific there aren’t serious risks for end-users, but it is quite common find mobile apps with hardcoded credentials. Hackers could exploit the embedded password to gain control of the device, at that point it a joke use it to spy on victims or to recruit is in a mobile botnet.
Something similar has already happened in 2014 when experts at IOActive uncovered a number of flaws affecting the RSA Conference Android app, such as information disclosure issues.
Security by design have to be a must for mobile app development, unfortunately due to the rapid diffusion of Rapid Application Mobile Development Tools is it quite easy to publish a mobile app, but in most cases the security requirements are totally ignored.
It is curious that this thing happened at a conference followed by most important experts in the security field.
(Security Affairs – Badge Scanning App, mobile)