March Madness apps for iOS could put corporate data at risk

College basketball’s popular March Madness tournament begins this week, and fans have access to more related mobile apps than ever before. However, people who use such apps on corporate-owned of BYOD devices should beware; many of these apps can burrow into corporate networks and present real security risks.

Some of the most popular sports-related iOS apps for iPhone and iPad can access users’ calendars, share data with social networking sites, send texts, and make repeat calls to premium-priced phone numbers, according to a new study conducted by Flexera Software, which makes software that helps developers license apps and ensure compliance.

Majority of March Madness iOS apps share user data, track device location

Flexera analyzed 28 iOS apps, including the popular March Madness Live, Yahoo Sports, ESPN Tournament Challenge, and CBS Sports, and found that nearly all of them had potentially problematic features.

March Madness Live, for example, can access and share users’ calendar information on social media sites, and it links to ad networks, which can act as backdoors for malware. In fact, 26 of the 28 tested apps can access and share this information, and another 79 percent, including CBS Sports, Dish Anywhere and ESPN Tournament Challenge, can access iOS devices’ location tracking features, according to Flexera.

The location features are often used to push relevant ads based on users’ locations, but they can also track individuals. Fortunately, it’s easy enough to turn off the feature — just open your iOS Settings, scroll down to the app you’re concerned about, tap it and then uncheck the location permission button.

Flexera found that 25 of the apps it analyzed can access iOS telephone functions. Though not particularly common, malware that places repeat calls to expensive premium numbers, usually in another country, has been discovered by researchers in the past.

Apps that access SMS functionality can potentially read text messages stored on users’ phones, or create text messages and send them to random recipients, such as device contacts, if the apps also have access to contact lists. Flexera found that 19 of the apps it examined can access SMS text features.

Should you be worried if you use March Madness apps?

A successful attack on your company’s network using one of these types of apps is unlikely. On the other hand, if one did occur you may be responsible for any associated damage — and it could cost you your job.

If you work in a security-conscious environment, check in with your IT department and ask about the specific policies they have to govern personal phones that are used for business. Even if you don’t use your phone for work, it’s a good idea to get in the habit of checking app permissions whenever you download new software. It only takes a few seconds, and it can help avoid any number of unpleasant surprises.

Meanwhile, enjoy the college hoops.