Security Experts:

Connect with us

Hi, what are you looking for?


Mobile & Wireless

Hardcoded Password Exposes RSA Conference Badge Scanning App

SAN FRANCISCO – RSA CONFERENCE 2016 – Researchers at Bluebox Security discovered that the badge scanning application provided by RSA Conference organizers to vendors is plagued by a security bypass flaw.

SAN FRANCISCO – RSA CONFERENCE 2016 – Researchers at Bluebox Security discovered that the badge scanning application provided by RSA Conference organizers to vendors is plagued by a security bypass flaw.

At the 2016 RSA Conference, which is taking place this week in San Francisco, many vendors were provided with Samsung Galaxy S4 smartphones that run an Android app that allows companies to keep track of booth visitors by scanning their badges. The scanning devices run in what is known as “kiosk mode,” which means they cannot be used for anything except scanning badges, unless the app administrator unlocks it using a password.

Researchers at Bluebox Security downloaded a copy of the badge scanning app from Google Play and, after analyzing its code, they discovered that this security mechanism can be bypassed because developers embedded a default password in the application’s code in plain text.

“When we used that passcode we were able to gain access to the kiosk app’s settings. This, in turn, let us gain access to the device’s system settings, which then enabled us to put the device into developer mode to gain full access to the device,” Bluebox Security researchers explained. “This is concerning because if we can do this, an attacker can too, letting them root the device, pull any data off of it, or install malware to steal even more data.”

“We speculate that the default code embedded in the app is there as a mechanism so that the device can still be managed even if the admin’s custom passcode is lost. However, it is a poor developer practice to embed passwords into an app’s shipped code, especially un-encrypted and un-obfuscated,” experts noted.

Bluebox said the RSA Conference badge scanning application was developed by an unnamed third party.

This is not the first time experts have found vulnerabilities in RSA Conference mobile applications. In 2014, IOActive reported uncovering half-dozen flaws in the RSA Conference Android app, including man-in-the-middle and information disclosure issues.

While vulnerabilities in these types of applications might not pose a serious risk, such incidents demonstrate that many mobile apps, including ones developed for security companies, can be insecure.

“With the growing focus on mobile, enterprise CIOs are under pressure to accommodate end-user demands—provisioning secure apps to lines of business and partners, and ensuring fast time to market for customer facing apps,” Adam Ely, founder and COO of Bluebox, said in a recent SecurityWeek column. “As a result, a host of mobile application development platforms (MADP) and rapid mobile application development (RMAD) tools that facilitate app creation have emerged—there are now nearly 90 choices—that make it easier for the technical and non-technical alike to create apps. Now that anyone can create a mobile app, this has led to inconsistency in the security knowledge of a mobile app ‘developer’.”

“This variability in security knowledge, use of outsourced development houses, coupled with time to market pressures that favor usability over security features, results in less secure apps,” Ely added.

*Updated to clarify that the app was developed by a third party

Related: Users Lax on Mobile Security – Survey

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content

Mobile & Wireless

Infonetics Research has shared excerpts from its Mobile Device Security Client Software market size and forecasts report, which tracks enterprise and consumer security client...

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.

Mobile & Wireless

The February 2023 security updates for Android patch 40 vulnerabilities, including multiple high-severity escalation of privilege bugs.

Mobile & Wireless

Two vulnerabilities in Samsung’s Galaxy Store that could be exploited to install applications or execute JavaScript code by launching a web page.

Mobile & Wireless

South Dakota Gov. Kristi Noem says her personal cell phone was hacked and linked it to the release of documents by the January 6...


Pig Butchering, also known as Sha Zhu Pan and CryptoRom, is an ugly name for an ugly scam.