The Toruk app has over 100,000 installs on Google Play, is also available on iOS, and has not received any form of update since 2016.
Upon examination, ESET researcher Lukáš Štefanko found that "anyone who was connected to the network during the show had the same admin possibilities as the Cirque du Soleil operators."
The app has no authentication protocols in place. As a result, an open port -- port 6161 -- could be exploited by attackers to remotely control an app running Toruk, including tampering with volume settings, displaying content, forcing the discovery of nearby Bluetooth devices, and to read or write to shared preferences which the app is able to access.
An attacker could perform a scan to harvest the IP addresses of vulnerable devices, and while the mischief they could cause is limited, all it would have taken for the app to generate a unique token for each device to revoke this mass access without the need for any form of authentication.
ESET attempted to reach out to Cirque du Soleil in March but did not receive a response. The researchers tried again in May, only to be met with radio silence.
As the Toruk show ended its production run at the end of June, the researchers decided to wait until July to reveal their findings. The application is no longer needed and so should be uninstalled immediately -- a worthwhile security practice that should be applied to any single-use or purpose mobile applications.
However, Cirque du Soleil does intend to pull the app from Google Play and Apple App Store now the show is over.
'We weighted the security risks connected with the app, which we consider moderate, against the negative effect of harming the show after five years of touring the globe and with a few performances to go," the team said.
ZDNet has reached out to Cirque du Soleil and will update if we hear back.
Many of 2018's most dangerous Android and iOS security flaws still threaten your mobile security