Gambling apps put corporations at risk, says Veracode.

Social casino apps are compromising corporate mobile environments and exposing companies to increased risk of cyberattacks, according to Veracode. (Image: computerworld.com)

The gambling apps installed by a company’s employees could be putting its security systems at risk, according to a new report by cloud-based app security firm, Veracode.

After scanning thousands of such apps installed on mobile devices used for work, the company found that the “average global enterprise has multiple apps installed on its mobile environment,” with some environments found to contain “as many as 35.”

Veracode tested 11 different “gambling apps,” all of which were, in fact, free-to-play social casino apps, as opposed to real-money online casino apps, although, unhelpfully, the study itself does not highlight the distinction between the two.

However, the risks uncovered certainly highlight the need for regulation of the social casino industry and a similar study of the regulated real-money online gambling apps, compared with unregulated, would certainly be a welcome follow up research project.

Malicious Software

“Many of these apps contain adware as well as critical vulnerabilities, such as weak encryption, enabling cyberattackers to gain access to contacts, emails, call history, and phone locations as well as to record phone conversations,” warned Veracode.

One “popular casino app” is able to check if a device is rooted or jailbroken; ie, whether an iPhone, for example, has been altered to circumvent the restrictions imposed by its own operating system.

This, says Veracode, means the app has the ability to disable anti-malware software on the device, as well as view cached information, like passwords and user identity details, and this renders the device vulnerable to hackers.

Veracode also found that a popular slots app uses inadequate, unencrypted HTTP protocol, and had the potential to install malicious software.

Meanwhile, it said, “free apps typically incorporate advertising software development kits (SDKs) that monetize by sending user data such as identity and location to advertising servers located around the world.”

Corporate Data at Risk

No one app is specifically named and shamed in the study; instead, Veracode opted for a guilt-by-association approach: Big Fish Casino, Gold Fish Casino Slots, GSN Casino, Heart of Vegas, Hit it Rich Casino Slots, Jackpot Party Casino, Slot Machines House of Fun, Slots Pharaohs Way, Texas Poker, Wonderful Wizard of Oz and Zynga Poker, were all analyzed, the company said.

And while Veracode is not accusing the creators of these specific apps of attempting to destabilize corporate systems, it urges companies to take caution at a time when “cybercriminals and nation-states are … constantly looking to exploit insecure apps in order to steal corporate intellectual property, track high-profile individuals and/or dissidents, and insert aggressive adware for monetary gain.”

“Like it or not, corporate users are installing risky apps on their mobile devices, thereby increasing the attack surface and putting corporate data at risk as well as compromising the security of high-profile employees such as executives,” said Theodora Titonis, VP of mobile security at Veracode.