Mobile apps increase enterprise attack surface and put sensitive corporate data at risk, according to analytics from Veracode’s cloud-based security platform
BURLINGTON, Mass. — September 2, 2015 — Veracode, a leader in protecting enterprises from today’s pervasive web and mobile application threats, today released analytics from its cloud-based platform showing that, based on its analysis of hundreds of thousands of scans of mobile apps installed in actual corporate environments, the average global enterprise has multiple gambling apps installed in its mobile environment. In fact, some environments were found to contain as many as 35 unique gambling apps. Many of these apps contain adware as well as critical vulnerabilities, such as weak encryption, enabling cyberattackers to gain access to contacts, emails, call history, and phone locations as well as to record phone conversations.
The use of mobile gambling applications is growing exponentially. Juniper Research estimates that smartphone and tablet owners will place upwards of $60 billion in bets by 2018 using casino-type gambling apps — roughly five times the current size of the overall mobile gaming market. Another telling data point is that spending on casino and card games for Android was up 105 percent from November 2013 to November 2014.
At the same time, Gartner estimates that 75 percent of mobile apps will fail basic security tests through 2015. While some of this is due to sloppy programming and the use of insecure open source and third-party libraries, cybercriminals and nation-states are also constantly looking to exploit insecure apps in order to steal corporate intellectual property, track high-profile individuals and/or dissidents, and insert aggressive adware for monetary gain. In addition, free apps typically incorporate advertising software development kits (SDKs) that monetize by sending user data such as identity and location to advertising servers located around the world.
Veracode has identified a number of unsafe slots, poker, black jack and bingo apps, including examples of vulnerabilities and malware such as the following:
- A popular casino app checks to see if a device is rooted or jailbroken, thereby determining if the app has the ability to install additional functionality enabling it to disable anti-malware, replace firmware or view cached credentials such as banking passwords. Additionally this app has the capability to record audio and video and access user identity information, and it can be exploited using a man-in-the-middle (MITM) attack that allows cyberattackers to eavesdrop and even alter network communication.
- A major slots app communicates with its back-end cloud services using unencrypted HTTP rather than the more secure HTTPS protocol. This can be used to build a target profile by revealing sensitive demographic data such as gender, birthday and last login timestamp. Further analysis reveals that the app also downloads up to 24 megabytes of encrypted data from servers located outside the US — without the user’s permission — indicating that it can potentially install malicious software on the fly.
- Ten digital gambling apps — including Gold Fish Casino Slots, Jackpot Party Casino and Texas Poker — can read, write and delete local files as well as directly access network functions such as creating connections to arbitrary servers and receiving data from any source.
Analytics from Veracode’s cloud-based platform also reveal that more than three-quarters of all mobile apps fail basic security policies such as the Mobile OWASP Top 10. Further industry research shows that top attacks include Remote Access Trojans (RATs) for accessing user data, man-in-the-middle (MITM) attacks due to weak cryptography, ransomware that restricts access to devices until the ransom is paid, and fake certificates that enable attackers to side-load malicious apps.
“Like it or not, corporate users are installing risky apps on their mobile devices, thereby increasing the attack surface and putting corporate data at risk as well as compromising the security of high-profile employees such as executives,” said Theodora Titonis, VP of mobile security at Veracode. “Manual approaches for addressing unsafe mobile apps, such as manual pen testing and manually-curated blacklists, are difficult to scale because of the sheer size, complexity and constantly-changing nature of the problem. As a result, they either fail to keep up with mobile threats or frustrate employees by prohibiting apps arbitrarily.”
Enterprises can reduce risk by implementing automated application blacklisting and other policy-based controls via standard MDM/EMM solutions from vendors such as MobileIron, AirWatch by VMware, and Fiberlink, an IBM company. These MDM/EMM solutions are currently integrated with Veracode’s cloud-based reputation intelligence service via APIs, leveraging risk profiles from hundreds of thousands of scans of mobile applications that are continually being assessed using advanced behavioral analysis and machine-learning technology.
Apps analyzed for this study include, among others: Big Fish Casino, Gold Fish Casino Slots, GSN Casino, Heart of Vegas, Hit it Rich Casino Slots, Jackpot Party Casino, Slot Machines House of Fun, Slots Pharaohs Way, Texas Poker, Wonderful Wizard of Oz and Zynga Poker.
 Juniper Research, 2014, “Mobile Gambling: Casinos, Lotteries & Betting 2013-2018” http://www.juniperresearch.com/press/press-releases/annual-wagers-on-mobile-casinos-and-poker-to-excee
 App Annie, 2015, “The Transformation of Casino Gaming” http://blog.appannie.com/uk-mobile-casino-gaming-spotlight-november-2014/