Welcome to March Madness, where the excitement is infectious and apparently the apps might be as well. According to new research from Flexera Software, popular March Madness apps might be leaving users at risk.
Flexera took a look at 28 of the most popular iPhone apps that target March Madness fans who want to catch the action of every game or track the success of their brackets. What it found was that just about every last one of the apps was accessing more information than users were likely aware of.
A majority of the apps—61 percent—requested access to a device’s calendar, while 79 percent of them are capable of accessing the location tracking functionality of the phone. 68 percent of the apps have access to SMS texting functionality and 71 percent include the ability to share data with social networking sites connected to the device.
Perhaps most shocking is the amount of apps that utilize advertising networks. A whopping 89 percent of the tested apps, including Daily Bracket, ESPN and March Madness Live (the official offering from the NCAA for watching tournament games) support such a connection.
In many of these cases, the apps have large footprints; they are downloaded and used by millions of people. ESPN’s flagship app is the ranks first in the Sports category in the iOS App Store has been as high as the 28th most popular app overall since the start of 2016, according to data from App Annie.
Additional information from App Annie shows that March Madness Live has jumped to the top app in the entirety of the App Store in four of the last five years of tournament play. The one year it fell short of the top spot, 2012, it peaked as the second-most downloaded app.
Other apps, including CBS Sports, Dish, Sports Feed, are installed on millions of phones and see an increase in usage during major events like March Madness.
Maureen Polte, Vice President of Product Management at Flexera, told the Daily Dot that none of these app behaviors are inherently malicious or
benign, but they do require users to put a significant amount of trust into the app developers.
Flexera doesn’t call out any of the services as actively performing any devious acts unbeknownst to the user, but the risk of it is enough to raise questions. “Our tests are designed to expose what an app is doing on the device and what features, functions and data it can access,” Polte said.
In some cases, these points of access to data managed by the phone can be used in malicious ways. The most prominent example, an Android app called Brightest Flashlight Free, used the disguise of the most innocuous app imaginable to collect and transmit geolocation data to third-parties.
In response to the app’s behavior, the Federal Trade Commission accused the developer of deceiving users and noted that the app was collecting “persistent device identifiers that can be used to track a user’s location
over time.”
But even when an app’s behavior isn’t outwardly sinister, there are still potential risks in providing access to other functions. Polte pointed to an embarrassing case when an employee at the Environmental Protection Agency accidentally tweeted out ““I’m now a C-List celebrity in Kim Kardashian: Hollywood,”—a message shared from the Kim Kardashian: Hollywood app—to the government organization’s official account.
“Unbeknownst to the employee, [the] app had the ability to automatically access the phone’s twitter account and tweet out
messages when certain game thresholds were reached Unfortunately for the EPA, the…device was connected to the EPA’s official twitter account – not the
employee’s,” Polte explained.
In the case of some of the apps in question, it would be reasonable to assume that some permissions are needed for the app to function properly. Some apps point the user to a local establishment that is broadcasting games, for example. Others allow users to invite friends to fill out brackets and compete against one another, which requires permission to SMS or social media profiles.
Polte said that was “certainly” the case, but emphasized the need for awareness about these possibilities. For businesses and individuals alike, she said, “they must understand what the apps do and how
they behave; and they must make informed decisions about whether those apps are
allowable based on their own risk profile.”
In the case of some of the apps, it is possible for users to take back some control and deny permission to certain aspects of their device, should they want to block any sort of access. However, Polte said that “many users are not aware of the potential risks that certain app behaviors have so they may not even know
to opt out.”
Typically, an app will request access to a certain part of the device, but these rarely explain why that access is necessary. Users are likely to just tap “OK” and move on. Doing so grants the app the ability to connect to potentially collect data until manually denied access.
Luckily, iOS gives users a considerable amount of control over this. Through the Settings app, users can find a full list of apps installed on their device and manage each permission the app has been granted. This can be used to block or grant behaviors to each app on an individual basis.
Of course, the main takeaway of the research from Flexera shouldn’t be that it is possible to override the overreaching behavior of these apps—it’s that many developers are angling for access that shouldn’t be required given the service they perform.
When it comes to privacy and security, most March Madness apps come up short of the Big Dance. At least there’s always the NIT.
Illustration via Max Fleishman