Security Experts:

Mobile Gambling Apps Expose Enterprise Data: Report

The number of gambling applications installed on mobile devices used in corporate environments is on the rise, which creates an increasingly favorable environment for data theft and other types of cyberattacks, a recent report from enterprise security company Veracode shows.

According to Veracode, on average, multiple gambling apps are installed in an enterprise environment, and many of these programs are plagued by critical vulnerabilities that can result in privacy breaches and enterprise data theft.

The company notes that the issues often reside in the way the applications are built, as some come with adware or weak encryption, which could allow cybercriminals to access user information such as contacts, emails, call history, or phone location.

Mobile gambling apps are often offered for free, but include advertising software development kits (SDKs) that send user information to third-party servers and can allow outsiders to track individuals and steal corporate intellectual property.

Data from Veracode’s cloud-based platform revealed that some enterprise environments contain as many as 35 unique gambling apps and showed that unsafe slots, poker, black jack and bingo apps are being used on corporate devices.

The company found a popular casino app to be vulnerable to man-in-the-middle (MiTM) attacks, potentially allowing cybercriminals to eavesdrop, and witnessed that the program also checks whether the device is rooted or jailbroken, to determine if it can disable the anti-malware software, view banking passwords and other cached credentials, and even replace firmware.

Veracode also discovered a slots application that uses unencrypted HTTP to communicate with back-end cloud services, thus potentially exposing user information, and which downloads encrypted data without user’s permission. Overall, Veracode found ten digital gambling apps that can read, write and delete local files, while also having the ability to directly access network functions, allowing them to connect to arbitrary servers.

“Like it or not, corporate users are installing risky apps on their mobile devices, thereby increasing the attack surface and putting corporate data at risk as well as compromising the security of high-profile employees such as executives,” said Theodora Titonis, VP of mobile security at Veracode.

Popular attacks on mobile devices include Remote Access Trojans (RATs) and man-in-the-middle (MITM) attacks for accessing user data or eavesdropping, ransomware for restricting access to devices, and fake certificates for side-loading malicious apps, industry research shows.

According to a Juniper Research report, smartphone and tablet owners are estimated to place over $60 billion in bets through casino-type gambling apps by 2018, while Gartner suggests that enterprise users download and install apps that have little security assurances and that 75 percent of mobile apps will fail basic security tests this year.

Veracode’s study analyzed mobile gaming apps including Big Fish Casino, Gold Fish Casino Slots, GSN Casino, Heart of Vegas, Hit it Rich Casino Slots, Jackpot Party Casino, Slot Machines House of Fun, Slots Pharaohs Way, Texas Poker, Wonderful Wizard of Oz, Zynga Poker, and others.

Mobile gambling applications are certainly not alone in the risks they pose to corporate data. Just about any poorly designed or maliciously developed app can be risky.

Earlier this year, IBM’s Application Security Research Team conducted a study of 41 popular dating applications for Android and determined that more than 60 percent of them are potentially vulnerable to cyberattacks.

“Mobile applications can pose serious risk to enterprise data, customers and security in general, so it is especially important for organizations to be able to identify these apps,” Adam Ely, Founder and COO of Bluebox, wrote in a 2014 SecurityWeek column.

“The first step is to determine if the application is genuine in intention or malicious. It’s difficult to establish the threat without knowing the application’s intent,” Ely continued. “Moreover, mobile malware is often a lesser threat than insecurities in legitimate applications. As such, when identifying risky apps, we must also look at the legitimate applications that have good intent, but may not be as secure as we need them to be.” 

So how can IT and security teams determine what apps could be harmful?

According to Ely, some characteristics of mobile apps that should be evaluated include the security posture of the application, how the application handles data storage, how or if the application writes to disk, if data (especially sensitive or PIIA data) is encrypted, and how long data resides on the device or if it purges data after it’s utilized.

“No mobile app is an island,” Ely said.

view counter