Wild West of Conference Apps Security
Most conference apps are developed by outsourced third-party firms, which means that these apps may not be as secure as you would think they would be. We took this hypothesis and tested out a few thousand conference apps built by third-party firms for data leakage to see what kind of PII/sensitive data we could extract.
In this talk I want to go over methodology of testing, what was found , how (not)difficult it was to find them, and measures teams can take to decrease exposure. I want to take this opportunity to call out to security teams to dedicate resources to securing their conference apps.
This talk will cover security issues in conference apps. A lot of companies use vendors to create their conference apps. These vendors have a template and keep adding new customer apps to them. Based on our research we have found thousands of apps on the Apple iOS store and the Android Store.
this is an ongoing research, concentrating on what data is being leaked by these conference apps. I was able to gather almost 500k users PII (possible duplicates among attendees of different conferences) , including in some cases first name , last name, email ,phone number etc. In on case I found xif data in the profile pictures of attendees which leaked info like which phone was used to take the photo , date/time, location etc.
I am going to work with conference app vendors to remove outdated apps and better secure customer privacy.
the aim of the talk is to raise awareness of the issue of data leakage in conference apps and better protect citizens of the world, and not to shame anyone.