Skip to content

Event App Security – Is it taken seriously?

October 7, 2018

The recent Tory Party Conference app privacy and security breach raises an important question; do apps undergo security testing?

The answer it seems is – very few.

The immediate consequence falls on the end user – in this case several politicians have apparently had to change their telephone numbers – an issue that for any of us is a major disruption for friends family and work, but for a high profile politician the issues go wider to issues such as personal safety and security.

In April 2018 Security Intelligence scanned a generic set of mobile apps (not just event apps) and found 85% had exploitable vulnerabilities.  However what makes it likely that event apps exceed this percentage is that the vast majority are “one off”, built specifically for one event.  They are built on a tight time and cost budget, neither allowing for independent security analysis, or what is generally referred to as Pen (Penetration) Testing. In the case of the Tory Party Conference app, what is clear that there was not even time for proper app testing, as the vulnerability exposed in the CrowdComms developed app needed zero hacking capability! Any end user could do it and gain full account control of another user just by knowing their email address.

Earlier this year we demonstrated our Krowd app and the under development crowd safety and security features to West Midlands Police. They were interested and asked if we’d be ready for the Tory Party Conference – we said No. Simply because we knew we had plans to undergo security testing and they may not be complete in time for that event. Perhaps we were prescient?

Having undertaken an independent pen test, we can attest to its value.  We are a company that works hard to protect peoples privacy (world’s first GDPR compliant event app) and sustain company customer information confidentiality, as such we pay attention to security as the foundation for privacy in a digital age.  Despite this we were alerted to several security weaknesses to fix, and advised of a number of techniques to further enhance the security of the system.  As we are also undertaking product research and extensions for the UK Office of Counter-Terrorism we are reviewed by their programme agency the CTS Division of DSTL in the Ministry of Defence, who reviewed the pen test results and ensured certain additional tests were undertaken to address counter-terror concerns.  Overall this effort took a month of time and over 3 man months of engineering and consultant effort, a timescale which is not visibly costed into any event app price model that we have yet found.

The fact we have innovated one app that works at any event without modification means that these pen test value ascribe to every event our Krowd app is applied to.  The point being, that for the majority of the event app market, their approach to app development do not allow surety or confidence that either your customer data or their personal privacy won’t be easily breached.

More broadly, we are concerned the general app industry is a long way behind understanding the importance of security as a foundational aspect of building any software – especially one that takes data such as location, telephone numbers or other sensitive identifying information.  We should take the Tory Party Conference app example as a reminder to us all – ask your app supplier – “have you done a pen test?” Its the baseline for trust in digital systems.

John Trickett, the Labour Shadow Cabinet Office minister said “How can we trust this Tory government with our country’s security when they can’t even build a conference app that keeps the data of their members, MPs and others attending safe and secure?” to which we say “so tell me your conference app was independently pen tested!”

 

From → Uncategorized

Leave a Comment

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: