Poor Mobile App Security Draws FTC’s Attention


What Made News?

The Federal Trade Commission (FTC) recently charged two companies — Fandango, LLC, and Credit Karma, Inc. — with violating the FTC Act by misrepresenting the security of their mobile apps and failing to securely transmit sensitive personal information over the Internet. In order to settle the charges, the companies have agreed to establish comprehensive security programs designed to address security risks during the development of their apps and to undergo independent security assessments every other year for the next 20 years.

What Do These Companies Do?

Both Fandango and Credit Karma operate mobile apps — Fandango has an app for the iOS operating system that allows consumers to purchase movie tickets and view information such as show times, trailers, and reviews; Credit Karma has an app for iOS and Android that allows consumers to monitor and evaluate their financial status.

What was the Problem?

According to the FTC, both companies misrepresented the security of their mobile apps and failed to secure the transmission of sensitive personal information for millions of their consumers. Specifically, the FTC alleged that the companies failed to take "reasonable steps" to secure their mobile apps, including by disabling a default process known as SSL certificate validation — which would have verified that the apps' communications were secure. SSL certificate validation is available to all app developers through the iOS and Android mobile operating systems and is considered the industry standard for security. Rather than using the default SSL encryption, Fandango and Credit Karma overrode the default validation process. In so doing, the FTC alleges that the companies exposed consumers' credit...

To continue reading