It’s a huge weekend for the UK’s National Lottery - with a jackpot of almost £60 million up for grabs in what’s set to be the biggest payout since the Lotto began 21 years ago.
Chances are that many people will be buying tickets, and many of them may be tempted to install a National Lottery smartphone app.
Well, wait just a second… because James Maude, a security researcher at Avecto, has been in touch with me raising some concerns about the National Lottery’s official Android app. Not because he has found any vulnerabilities and privacy concerns in its code, but rather because of the way in which the National Lottery are distributing it.
You see, the official Android Google Play store doesn’t allow gambling and lottery apps that offer real cash prizes, so the National Lottery can’t get into the official app store.
Instead, in order to play the National Lottery on your Android you need to make a change to your smartphone’s settings - allowing apps to be installed from unknown sources.
And nowhere in its installation walkthrough does the National Lottery warn of the risks associated with installing apps from outside the Google Play store.
That certainly does seem like an unfortunate omission.
But, James argues, the plot thickens when you consider how the National Lottery is telling desktop users to download the app onto their Android mobile phone, by scanning a QR code.
James takes up the story:
The QR code contains a 3rd party url (http://q-r.to/baavbx) powered by www.qr-code-generator.com. This then sends the mobile device back to the Lottery site triggering the APK file to be downloaded from an AWS instance.
As I see it there are a few issues here:
- This is an app that expects to receive users’ personal and financial information.
- The National Lottery does not warn users about the dangers of enabling side loading apps, the most common attack vector on Android.
- The redirect is external and uses http - so it doesn’t authenticate so a malicious hacker could use a man-in-the-middle attack to swap out the app for something nasty.
- The National Lottery is telling users to disable part of Android’s built-in security and trust an APK based on a name.
- They are relying on a third-party not being compromised, or the lottery’s user account with the QR code generator site not being abused.
Aside from the concerns about the QR code and its third-party redirect, I would never recommend that a typical Android user turns off a key part of Android’s defence against malicious apps.
In a nutshell, The National Lottery expects you to lower your Android phone’s security if you want to buy Lotto tickets with its app. Is that a gamble you really want to take?
If you really want to be in with a chance of winning a fortune in the National Lottery, you might be wiser visiting their website via a regular web browser (use a VPN if you are worried that your internet traffic may not be properly secured, and run an up-to-date anti-virus to reduce the threat of spyware snooping upon your activities).
Recent news of more malware being found in the Android Google Play store shouldn’t weaken the truth that confining yourself to apps from the official store is still a lot safer than allowing apps from any old website to run on your Android smartphone.