On Saturday it was reported that the Tory Party Conference app had a flaw within it that exposed all the contact details and other personal information on those registered to attend the conference – including those of senior Tory party members, such as Boris Johnson – and allowed them to make changes to the details.
In response to this, please see below for commentary from Mark Noctor, VP EMEA at Arxan Technologies – the trusted leader of application protection solutions.
Mark Noctor, VP EMEA at Arxan Technologies:
“The Tory app data breach this weekend is just yet another example of how all organisations, whether they are the nation’s governing party or not, must change their mindsets and treat applications as though they are the endpoint. With a whole host of data available, potentially more critical than party member contact details, if these vulnerable front-end pieces of critical infrastructure are not developed securely from the outset, then an embarrassing breach may be the least of your worries. Apps needs to be protected from compromise or attackers can effectively bypass security controls and have access to cryptographic keys, payload formats, credentials, API endpoint references and so much more.
Whilst the Conservative party may now have plugged the hole and stemmed the leak of sensitive data, the question that now must be asked is to what extent have they secured the app? Preventing unauthorised logins is one thing, but they need to ensure that the app cannot be broken into and reverse engineered. Putting a plaster over the gap is going to do little in protecting the app if the foundations themselves are unstable and insecure. Moreover, as the party of government, the Tories are meant to be passing and enforcing laws, this would appear to be a breach of GDPR law, raising to the fore whether enough has really been done to ensure data privacy. There need to be regulations that require app security to be in place and not just seen as a ‘tick box activity’ as it may have been in the past.”
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.