Quick Review – ASIS Mobile Show App
Mobile devices provide value at trade shows. Having the information available on the show floor can be a great tool to improve your use of precious time on the floor. Unfortunately, like anything else on your mobile device, it introduces another potential place to be attacked. And like most mobile apps, it’s actually made by some 3rd party developer you weren’t really aware you were trusting. We don’t really need 10,000 physical security professionals wandering around a convention center in Dallas bleeding their too-overused favorite passwords onto the public internet. All apps should be checked (VMS vendors, we’re looking at you) to ensure they follow reasonable security standards. Trade show apps, since they have a short life span, can be more vulnerable to issues due to the compressed time schedules we all place on the trade show operators. You really should take an Android into a test lab and make sure it applies at least some basic security techniques. Hook it up to your wireless test network and trace it’s traffic. You really shouldn’t find any surprises. One should not find…
- Devices that bleed the username and password in the URL, in the clear, when asking for data.
- Devices that use TLS to access their home site, but never check the certificates.
- Devices that phone home to inexplicable remote sites (possibly in a foreign country.)
- Evidence the back end infrastructure is outdated or insecure.
We checked out the ASIS application. Unlike some other shows we’ve checked in the past, we didn’t find any obvious issues in the app itself. Network traffic is encrypted. It does seem to check the certificate. There’s no obvious bleeding of credentials in the clear. We found a couple of minor issues, which we reported. The vendor responded (reasonably) to our feedback.
So this one looks ok. Of course you should be careful with your credentials, because by definition this app uses your ASIS credentials – that appears to be an ASIS decision.