After learning about a smartphone app dedicated solely to this week's RSA security conference in San Francisco, I publicly questioned why anyone would install it. After all, RSA's recently discovered history of either deliberately or unknowingly seeding its trusted products with dangerous code developed by the National Security Agency has left many people suspicious.

A day later, researchers have uncovered two vulnerabilities in the app that make it hard for me to resist the urge to say "I told you so." One of them discloses the name, surname, title, employer, and nationality of people who have installed the app, according to Gunter Ollmann, a researcher at security firm IOActive. For reasons unknown, the information resides in an SQLite database file that's bundled with the app. Opening it and reading the contents are trivial.

"I have no idea why the app developers chose to do that, but I'm pretty sure that the folks who downloaded and installed the application are unlikely to have thought that their details [were] being made public and published in this way," he wrote in a blog post published Wednesday morning. "Marketers love this kind of information though!"

Ollmann said that the app also leaves users open to man-in-the-middle attacks that are most often launched on public Wi-Fi networks. Hackers could exploit it by injecting additional code into the login sequence and extracting account credentials. Ollmann's post didn't say exactly what caused the vulnerability. Typically, such weaknesses are the result of a failure to properly use the transport layer security protocol to encrypt communications as they pass between the app and a Web server. But there may be other technical flaws that cause or at least contribute to the eavesdropping weakness.

There are a few reasons why eavesdropping on an app dedicated to the RSA conference shouldn't be made into a major case. For one thing, depending on how the app is set up, there may not be much an attacker can do with the credentials. For another, in years past, the wireless network at RSA's conference has been one of the more secure public Wi-Fi hotspots available. It typically uses a separate encryption key to secure each connecting device, making it hard for one attendee to monitor the communications of another. Of course, that protection is lost the moment someone uses the app on the unsecured network of a nearby bar or hotel.

"If we were dealing with a banking application, then heads would have been rolling in an engineering department, but this particular app has only been downloaded a few thousand times, and I seriously doubt that some evil hacker is going to take the time out of their day to target this one application (out of tens-of-millions) to try phish credentials to a conference," Ollmann wrote.

Still, the RSA conference is attended by high-ranking executives from powerful companies from all over the world. They're precisely the people attackers waging "advanced persistent threats" and other sophisticated espionage campaigns most want to target. Any app that provides a way for attackers to remotely monitor or tamper with any content on attendees' phones should be regarded as a potential threat that should be avoided.

Given the questionable benefit of reading schedules on a smartphone instead of old-fashioned paper, there was already some reason to resist installing yet another app. After all, a core security tenet is to reduce attack surface by running only apps and services that are truly needed. In light of the vulnerabilities that IOActive is reporting, there's an even stronger case to be made for RSA attendees to pass on this one.