The Nightmare Beyond Your Injured Draft Pick: 38% of Top Fantasy Sports Mobile Apps Have Security or Privacy Flaws
Posted by Amy SchurrThe new NFL season kicks off on Sept. 7, 2018 and the NHL and NBA seasons resume a few weeks later. As their favorite players take the field, ice and court, millions of fans will wield their mobile devices to check game scores and compete in fantasy sports leagues. But just like some of the weaker professional sports teams, it turns out that many fantasy sports apps have holes in their defenses.
NowSecure analyzed the cybersecurity risk level of 60 publicly available fantasy sports apps from Google Play™ and the Apple® App Store®, including fantasy, companion, daily competition, gaming and live coverage apps. We evaluated Bleacher Report, CBS Sports Fantasy, ESPN Fantasy Football, DraftKings, Draft Wizard, Fan Duel, Footballguys Draft Dominator, Madden NFL Overdrive Football, NBA Live Mobile, Yahoo Fantasy Sports, and many more.
Overall, we found that 38% of the Android and iOS apps have high and/or critical vulnerabilities such as unencrypted information, leaking personal data or exposure to man-in-the-middle attacks. Only 18% of the mobile apps evaluated in our benchmark carry very low or no risk.
Those results should be of concern to both fantasy sports app users and their employers, given the BYOD mobility trend in the workplace. According to the Fantasy Sports Trade Association, more than 59 million people in the United States and Canada played fantasy sports in 2017. And because 39% of fantasy sports players primarily use a mobile app on a smartphone or tablet, millions of users may unknowingly be at risk for cyber attacks at work or play.
Among those who use mobile devices, the graph above represents reasons why fantasy sports players access websites via their devices.
Source: Fantasy Sports Trade Association
Fantasy sports represents a $7.2 billion market, so it’s no surprise that the industry also attracts cybercriminals. A few years ago, hackers managed to access the Yahoo Fantasy Sports football app to change team lineups and impersonate users in discussion boards. But given the payments that trade hands, other cyberattackers could have more nefarious intent.
Fantasy Sport App Stats
Using the NowSecure automated mobile app security testing engine, we analyzed 32 Android and 28 iOS fantasy sports industry mobile apps for security vulnerabilities, compliance gaps and privacy exposure. We determined a grade using industry-standard CVSS scores while mapping findings to the OWASP MASVS.
The NowSecure Score Risk Range is a scoring algorithm based on count and score values of all CVSS findings, the industry-standard method for rating IT vulnerabilities and determining the urgency of remediation. On an overall risk range of 0-100, apps scoring lower than 60 present a high degree of risk, while those scoring 80 or above are deemed low risk. Overall, the median score of all the mobile apps we analyzed was a cautionary 79 risk rating — 76 for Android and 64 for iOS. Of the 18% of the fantasy sports apps that scored above 80 on the NowSecure Risk Range, 16% were Android and 21% were iOS. Those fantasy sports apps with potential security shortcomings were in good company, as 93% fail one or more of the OWASP MASVS, a de facto security standard.
As shown in the bar graph below, the benchmark shows that the NowSecure Security Risk Range for these fantasy sports apps spans a low of 44 to a high of 100, revealing a wide variation in the cybersecurity posture of these apps.
The two charts below plot the overall NowSecure Risk Score based on CVSS findings (scaled 0-100) vs a count of findings for the Android and iOS apps. The results show that 9 Android apps (Android first plot below) and 14 iOS apps (iOS second plot further below) failed because of critical and high risks.
A review of the benchmark findings shows the most common issues we encountered were local auth, cookies, iOS ATS and keysize. The worst failures were exposure to man-in-the-middle attacks, invalid certificates, arbitrary code execution, and unencrypted credentials/personally-identifiable information in local files and over HTTP.
This benchmark underscores the challenges developers have in building and testing secure fantasy sports mobile apps. Companies seeking to build and deliver secure mobile apps should integrate mobile application security testing in their development processes.
The NowSecure platform automatically tests mobile app binaries using a triple-pass approach of static, dynamic and behavioral analysis on real mobile devices. This automated, multi-pass approach uses an attacker point of view to yield thorough, highly accurate risk results based on industry-standard CVSS scores and leading compliance regulations.
Curious about other apps employees bring into your organization? Obtain a free risk assessment for a third-party mobile app of your choice.