Employees put business data at risk by installing gambling apps on their phones

mobile phone on gambling table showing showing a connection to gambling apps

The average company has more than one gambling application installed on some of its employees’ mobile devices, and in some cases as many as 35.

If you work for a large, global company, chances are some of your peers have installed gambling apps on the mobile devices they use for work, and that’s bad news for IT security.
A study has found that the average company has more than one such gambling application in some employee devices, putting corporate data stored on those devices at risk.
The analysis was performed by security firm Veracode, which scanned hundreds of thousands of mobile apps installed in corporate mobile environments. The study found that some companies had as many as 35 mobile gambling apps on their network environment.
The company tested some of the most popular gambling apps it detected in corporate environments for potential security risks and found critical vulnerabilities that could enable hackers to gain access to a phone’s contacts, emails, call history and location data, as well as to record conversations.

For example, one casino app contained code for checking if the device was rooted or jailbroken, which could give the app unfettered access to the device. The app already had the capability to record audio and video and access user identity information, but on top of that it was also vulnerable to man-in-the-middle attacks that could allow hackers to sniff or alter its communications, the Veracode researchers said.
Another slots app didn’t use encryption when communicating with its back-end servers, allowing potential attackers to intercept its traffic and extract user demographic data like gender and birthday.

Ironically, the app downloaded 24 megabytes of encrypted data from servers outside the U.S., without the user’s permission, the researchers said.

Ten other gambling apps had access to read, write and delete local files as well as to open network communications with arbitrary servers, a possibly risky activity in a tightly-controlled corporate network environment.

Veracode did not say which gambling app had specific vulnerabilities, but the apps it tested included Big Fish Casino, Gold Fish Casino Slots, GSN Casino, Heart of Vegas, Hit it Rich Casino Slots, Jackpot Party Casino, Slot Machines House of Fun, Slots Pharaohs Way, Texas Poker, Wonderful Wizard of Oz and Zynga Poker.

Free mobile applications, including gambling ones, typically bundle advertising libraries that siphon off device and user identifying information. Past research has shown that many of these libraries don’t use HTTPS, therefore exposing potentially sensitive information to man-in-the-middle attacks.

To reduce the risk of unauthorized mobile applications leaking sensitive corporate data, companies are advised to implement application blacklisting policies like those enforced by mobile device management (MDM) or enterprise mobility management (EMM) products.

See original story here

Constantin, L. (2015) Employees put business data at risk by installing gambling apps on their phones. Available at: http://www.pcadvisor.co.uk/news/security/employees-put-business-data-at-risk-by-installing-gambling-apps-on-their-phones-3624492/ (Accessed: 28 June 2016).

EPIC comment:

‘Information security and data protection are some of the most important issues to a risk department and senior management team of an organisation. We know that 73% of the UK gamble in some form each year. We also know that by far the most popular way to gamble is now online and more and more through smartphones and tablets. Gambling is now available 24/7 and is completely anonymous. This research shows that gambling at work doesn’t just lead to welfare and duty of care issues it also potentially leads to data protection and security issues that have the scope to damage an organisations brand, reputation and financial position’ Paul Buck, CEO, EPIC Risk Management