- On the eve of Super Bowl 57, mobile sports betting applications are riddled with sometimes outdated open source software components, raising the potential risk of being hacked, Synopsys Cybersecurity Research Center research released Tuesday shows.
- Researchers analyzed ten popular applications from the Google Play store, representing more than 21.5 million downloads. Each app had an average of 10 vulnerable components and 179 vulnerabilities per app, Synopsys found this was based on an average of 125 total components per app.
- Open-source components that are two to three years old are considered outdated, Synopsys said, but there were components found during its analysis dating back to 2010.
The popularity of mobile sports betting and fantasy sports has exploded in recent years, with millions of fans downloading applications to bet on popular sports events or gamble on the performances of their favorite players.
The American Gaming Association estimated that more than 31 million Americans would bet a total of $7.6 billion on Super Bowl 56 last year between the Los Angeles Rams and the Cincinnati Bengals.
Synopsys chose to examine the security of sports betting apps because the surge in popularity of these apps will also add to increased risk, according to Jonathan Knudsen, head of global research at Synopsys' CyRC.
“Many organizations are laser focused on making something that works, rather than something that works securely,” Knudsen said via email.
“Using open-source components as building blocks helps development teams create functionality quickly,” Knudsen said. “However, open-source components must be properly managed to minimize security risk.”
Researchers warned the apps in this study were significantly more risky than apps in a wider study of mobile apps done in 2021. That prior report looked at more than 3,300 mobile apps and found 63% had vulnerable components and there were only 39 vulnerabilities per app.
Researchers consciously chose to not name the specific apps, but chose top apps, each with more than 500,000 downloads, Synopsys said. The apps were each downloaded and analyzed once in December and a second time in January.