Employees put business data at risk by installing gambling apps on their phones

If you work for a large, global company, chances are some of your peers have installed gambling apps on the mobile devices they use for work, and that’s bad news for IT security.

A study has found that the average company has more than one such gambling application in some employee devices, putting corporate data stored on those devices at risk.

The analysis was performed by security firm Veracode, which scanned hundreds of thousands of mobile apps installed in corporate mobile environments. The study found that some companies had as many as 35 mobile gambling apps on their network environment.

The company tested some of the most popular gambling apps it detected in corporate environments for potential security risks and found critical vulnerabilities that could enable hackers to gain access to a phone’s contacts, emails, call history and location data, as well as to record conversations.

For example, one casino app contained code for checking if the device was rooted or jailbroken, which could give the app unfettered access to the device. The app already had the capability to record audio and video and access user identity information, but on top of that it was also vulnerable to man-in-the-middle attacks that could allow hackers to sniff or alter its communications, the Veracode researchers said.

Another slots app didn’t use encryption when communicating with its back-end servers, allowing potential attackers to intercept its traffic and extract user demographic data like gender and birthday.

Ironically, the app downloaded 24 megabytes of encrypted data from servers outside the U.S., without the user’s permission, the researchers said.

Ten other gambling apps had access to read, write and delete local files as well as to open network communications with arbitrary servers, a possibly risky activity in a tightly-controlled corporate network environment.

Veracode did not say which gambling app had specific vulnerabilities, but the apps it tested included Big Fish Casino, Gold Fish Casino Slots, GSN Casino, Heart of Vegas, Hit it Rich Casino Slots, Jackpot Party Casino, Slot Machines House of Fun, Slots Pharaohs Way, Texas Poker, Wonderful Wizard of Oz and Zynga Poker.

Free mobile applications, including gambling ones, typically bundle advertising libraries that siphon off device and user identifying information. Past research has shown that many of these libraries don’t use HTTPS, therefore exposing potentially sensitive information to man-in-the-middle attacks.

To reduce the risk of unauthorized mobile applications leaking sensitive corporate data, companies are advised to implement application blacklisting policies like those enforced by mobile device management (MDM) or enterprise mobility management (EMM) products.