Recently, the event industry has taken notice concerning security within mobile apps based on an article concerning the RSA mobile app by Quick Mobile Security researchers from IOActive have decided to take a look at the app to see just how secure it is. In a short amount of time, they identified a total of six flaws.”[1] The article notes two issues that are really concerning:

“The most severe of them can be exploited for man-in-the-middle (MitM) attacks. An attacker could inject a phishing page into the login sequence to trick users into handing over their credentials.”1 And, “The information in the app is retrieved from an SQLite database file that’s downloaded to the smartphone. This file contains the information of every user who has signed up for the RSA Conference 2014 app, including full name, company and title.”[1]

Yes, these are very concerning breaches. This has prompted our customers and potential customers to ask the question “How secure is our app and what does Core-apps do to prevent something like this from happening to us”? I am glad this has awoken the event industry. We have been preaching protection of customers’ data and user privacy since the beginning! Not that long ago, the state of California sued Delta airlines for not publishing a privacy policy inside their app because of the information they were collecting:

http://www.infolawgroup.com/2012/12/articles/privacy-law/california-attorney-general-sues-delta-air-lines-for-failing-to-have-a-mobile-app-privacy-policy/

The suit was later dismissed but it started a very important dialog about user data. We all need to be concerned about what information is being collected and how it is being used inside of the mobile apps we use daily.

First, let me say that NO ONE’s mobile app is ever going to be completely 100% secure! If the FBI, CIA, Bitcoin banks (recently), credit card companies, Target, and other highly secure websites/domains can be hacked, no matter what we do we will not stop them completely. If a hacker wants to break in, they will have ample time to do so and they will figure out how to breach a mobile app. There is a fine line here because if we make the app too secure, it creates a barrier to entry and usage. The added complexity can also significantly increase app support requests when users can’t get access into the app. This can cause low download numbers, lack of usage, drop in sponsorships, and the wonderful experience you were expecting to get out of your mobile app – goes away!

At Core-apps, our team makes it their job to educate our clients about mobile app security. We work on ways to make sure sensitive information is not accessible in the app or if it is really sensitive we keep it out of the app but still provide access in other ways. We also teach customers about having a privacy policy that notes what information is collected to help protect us and our clients. DIY app vendors don’t provide that type of service and there is no one there to protect customers from uploading information that can be compromised. We developed features that require users to opt-in and ways to protect user and customer data. We use encryption techniques to secure data so that attackers can’t trick users with man-in-the-middle attacks into handing over their information. For obvious reasons I will not go into detail regarding these techniques but as our President, Jesse Snipper noted, “every effort is made to keep customer data secure when that is requested but as with all security, it makes access harder — most clients opt away from security and instead choose to limit what they put in the app to publicly available information.”

My Father always told me to make sure I locked up my bike at night when I was done riding it. He used to say it was not to keep the thief from stealing it but so they would go the next rack where the bike was not locked because it was a lot easier to steal that one than the one that is locked!

For more information regarding how to secure your app with and without multiple levels of security, contact your Core-apps sales rep or email us info@core-apps.com


“You can not do today’s job with yesterday’s methods and be in business tomorrow!” Anonymous

Jay Tokosch
Core-apps, LLC.
CEO