• United States




‘Defense wins championships’ in application security and NFL

Feb 05, 20164 mins
AndroidApplication SecurityConsumer Electronics

Of the more than 20 Super Bowl Apps tested by Appthority, the Carolina Panthers Android app exhibited more risky behaviors than their Super Bowl opponent, the Denver Broncos 365 app.

Given their incredible seasons, it’s no surprise that the big game will be featuring the Denver Broncos and Carolina Panthers, two of the best defenses in the NFL. While they battle it out on the field, fans will be watching on lots of mobile devices, so Appthority took a look at the official team mobile apps to see which one offers the best security.

Appthority was started early in 2011 by well versed security professionals who noted the growth of apps in the workplace. While many apps were created for social uses, the explosion of apps on mobile devices has created a lot of risk for enterprises.

Those risks are not always malicious and can range from undetected issues in the software developing kits to unintended mistakes from developers. Appthority uses an analysis engine and searches hundreds of thousands of apps for vulnerabilities to find out what risks live in the devices.

To prove that security isn’t always about finding the bad guys, the Appthority team decided to have a little Superbowl fun. Here’s what they found when they analyzed apps that will be heavily used on Sunday.

  • Of the more than 20 Super Bowl Apps tested, the Carolina Panthers Android app exhibited more risky behaviors than their Super Bowl opponent, the Denver Broncos 365 app.
  • Be careful if you plan on streaming the game live on the CBS Sports Android app as it was found to have the highest amount of risky traits.
  • The NFL Fantasy Football app for Android had the highest combination of risky behaviors, including background access to the phone and device configuration.

Domingo Guerra, president and co-founder of Appthority said, “Overall we analyzed every app through our complete set of engines, looking for over 100 different traits from malware to location finder.”

Because reading your location is different than sending your address book, they applied different weights based on what the apps are capable of doing, so their scores were determined by behaviors. 

They found the CBS app risky, “because of the number of behaviors it was capable of doing. It didn’t have malware, but did have traits we are seeing more and more—like being able to run in the background,” said Guerra.

The concern with running in background is that these apps are collecting audio or video. It’s a behavior tantamount to cookies on a website. 

One other behavior of particular concern to the enterprise is the ability to access the calendar, which Guerra said is not necessarily required for functionality. “The calendar has a lot of information that could be confidential. Dial in numbers, passwords, topics,” said Guerra.  

While some might feel indifferent about this behavior, it’s worth pausing to think about what access to a calendar can reveal. Appointments, dial in numbers, passcodes, contact information. Topics being discussed in a conference call. All of which can result in a breach of more critical data.

The CBS app also sends PII, and Guerra said, “It’s one of the few apps that did. Your name, birthday, username—it was encrypted, but it is concerning. More 3rd parties can potentially gain access to our personal data and track our locations.”

The most alarming behavior is that the app replaces a random number generator, “which is not following best practices for security,” said Guerra. “Android and iOS create a random number generator specifically to help with encryption,” and replacing that number can create encryption problems, which makes the app more vulnerable.

[ ALSO ON CSO:  Network security vs. app security: What’s the difference, and why does it matter? ]

So, the final prediction if we are basing the outcome of the game on the strength of their app defense, “The Broncos app has a little better security because it showed fewer risky behaviors,” said Guerra. “Neither is sending PII. One is tracking location the other isn’t, but the Panthers app replaces the random number generator.”

Maybe users are thinking, it’s just a team app, but if they are logging in with the same username and password that they use on other applications, websites, or networks, the risky behaviors of that team app become far more important to enterprise security.

If you didn’t have your money on the Broncos before now, perhaps you want to hedge your bets, just don’t use the NFL fantasy football app to do it.


Kacy Zurkus is a freelance writer for CSO and has contributed to several other publications including The Parallax, and K12 Tech Decisions. She covers a variety of security and risk topics as well as technology in education, privacy and dating. She has also self-published a memoir, Finding My Way Home: A Memoir about Life, Love, and Family under the pseudonym "C.K. O'Neil."

Zurkus has nearly 20 years experience as a high school teacher on English and holds an MFA in Creative Writing from Lesley University (2011). She earned a Master's in Education from University of Massachusetts (1999) and a BA in English from Regis College (1996). Recently, The University of Southern California invited Zurkus to give a guest lecture on social engineering.

The opinions expressed in this blog are those of Kacy Zurkus and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.

More from this author