Ten of the most popular Android sports betting apps are potentially putting their users at risk from a range of cybersecurity dangers, a new report has claimed.
Analyzing the top 10 apps, which cumulatively have more than 21 million downloads, researchers from Synopsys found that the apps have, on average, 125 components, 10 of which are usually vulnerable. On average, each app has 179 vulnerabilities.
These vulnerabilities tie back to the use of open-source dependencies, the researchers further claim. While all of the apps are being actively worked on, some use open-source components as old as 12 years. “In the software world, two or three years is a long time,” the researchers added.
While known vulnerabilities in open-source components aren’t necessarily exposed in the app, the researchers further said, the older the component – the higher the risk. What’s more, using outdated components means the devs aren’t managing their dependencies properly, meaning “they are not handling security well in general”.
To make matters even worse, things seem to be going downhill for sports and betting apps. In last year’s analysis, which included 3,335 apps, 63% have had vulnerable components, down from today’s 100%, while the average number of vulnerabilities per app sat at 39 (down from 179 today).
All this being said, the researchers still did not want to unequivocally state that the apps are not safe to use. “That’s like asking a team of mechanical engineers to review an airplane’s landing gear system and avow that it is safe to be a passenger in that airplane,” they say.
Software composition analysis (SCA), as was done here, “is just one important part of a secure software development life cycle. By using a process that includes security (opens in new tab) at every step, developers can create software that is resilient, secure, and minimizes risk for both their own organization and their customers,” the researchers concluded.