woman using mobile tablet payments online shopping

FTC Sends Message: Make Your Mobile App Secure

FTC Sends Message: Make Your Mobile App Secure

April 7, 2014

FTC Sends Message: Make Your Mobile App Secure

By: Ifrah Law

Mobile payments have become so commonplace that consumers rarely stop to think about whether their online payment is secure. Mobile app developers can fall into a similar trap of assuming that the necessary security measures are enabled without performing the necessary audits to assure security on a regular basis. A recent settlement between the FTC and two companies offering unsecured mobile application products gives cause to think again.

The FTC alleges that the movie ticketing service Fandango and credit monitoring company Credit Karma failed to adequately protect consumers’ sensitive personal information in their mobile apps because they failed to use Secure Sockets Layer (“SSL”) protocol to establish authentic, encrypted connections with consumers. Generally, an online service will present an SSL certificate to the app on the consumer’s device to vouch for its identity. The app then verifies the certificate to ensure that it is connecting to the genuine online service. When companies fail to use this protocol—especially if consumers use the app over a public wi-fi system—third party attackers can substitute an invalid certificate to the app, thus establishing a connection between the app and the attacker rather than the online service. As a result, any information that the consumer enters into the app will be sent directly to the attacker, including credit card numbers and other sensitive and personally identifying information.

The FTC alleged that Fandango and Credit Karma left their applications vulnerable to interception by third parties by failing to use SSL protocol. The FTC alleged that Fandango misrepresented the security of its application by stating that consumers’ credit card information would be stored and transmitted securely, despite the fact that the SSL protocol was disabled on the app from March 2009 to March 2013. The FTC alleged that Credit Karma’s app failed to validate SSL certificates from July 2012 to January 2013, leaving the app susceptible to attackers which could gather personal identifying information such as passwords, security questions and answers, birthdates, and “out of wallet” verification answers regarding things like mortgages and loan amounts.

In both cases, the online services received warnings of the vulnerabilities from both users and the FTC. In December 2012 a security researcher used Fandango’s online customer service form to submit a warning regarding the vulnerability. However, Fandango mistakenly flagged the email as a password reset request and sent the researcher a stock response on password resetting, then marked the complaint as resolved. A user sent a similar notice to Credit Karma about the SSL certificates in January 2013. Credit Karma responded by issuing a fix in the update to the iOS operating system that same month, however, one month later Credit Karma issued an Android app which contained the same vulnerability.

In both cases, the online services performed a more thorough internal audit of the apps only when issued a warning by the FTC. The FTC issued complaints against the companies for their deceptive representations regarding the security of their systems. While the complaints noted that the apps were vulnerable to third party attacks, they did not allege that any such attacks were made or that any consumer information was in fact compromised. Perhaps due to the lack of consumer harm, the FTC entered into consent agreements with Fandango and Credit Karma in which the services did not have to pay a monetary judgment, but did agree to establish comprehensive security programs and undergo security assessments every other year for the next 20 years. Fandango and Credit Karma are additionally prohibited from misrepresenting the level of privacy and security in their products or services.

SSL certificates are the default validation process that iOS and Android operating systems provide developers using the application programming interface. Therefore, mobile app developers can protect themselves and their users from this vulnerability simply by leaving the default SSL protocol enabled. What’s more, app developers can test for and identify SSL certificate validation vulnerabilities using free or very low cost tools. Therefore, all app developers should take the necessary precautions to ensure the security of their systems, and prevent harm to consumers (and potential lawsuits) down the road.

Ifrah Law

Ifrah Law

Ifrah Law is a passionate team of experts that understands the importance of listening to and addressing specific concerns of clients – when facing the heat of a federal investigation or the ire of a business competitor. Experience in complex cases related to online gambling and sports betting, internet marking and advertising, and white collar litigation.

Related Practice(s)
Other Posts
FTC’s Operation AI Comply Generated in Part by Fear of Scale
FTC Beat |
Oct 24, 2024

FTC’s Operation AI Comply Generated in Part by Fear of Scale

By: Jordan Briggs
FTC Adds COPPA Violations to the Growing List of Privacy Concerns While TikTok is on the Clock
Aug 13, 2024

FTC Adds COPPA Violations to the Growing List of Privacy Concerns While TikTok is on the Clock

By: Jordan Briggs
The FTC Kills Noncompetes
FTC Beat |
Apr 30, 2024

The FTC Kills Noncompetes

By: George Calhoun
Got Endorsers? Federal Trade Commission Issues Updated Advertising Guides
FTC Beat |
Jul 10, 2023

Got Endorsers? Federal Trade Commission Issues Updated Advertising Guides

By: Michelle Cohen

Subscribe to Ifrah Law’s Insights