Mobile Enforcement Continues to be APPealing to the FTC
On March 28, 2014, the FTC announced two new mobile app settlements – with Fandango and Credit Karma – based on allegations that the companies failed to secure the transmission of consumers’ sensitive personal information collected via their mobile apps and misrepresented the security precautions that the companies took for each app. Specifically, the FTC alleged that Fandango and Credit Karma disabled the SSL (Secure Sockets Layer) certification validation procedure for each of their mobile apps. By doing so, the FTC claims that the apps were open to attackers positioning themselves between the app and the online service by presenting an invalid SSL certificate to the app – i.e., “man-in-the-middle” attacks. The FTC contends that Fandango and Credit Karma engaged in a number of practices that, when taken together, failed to provide reasonable and appropriate security in the development and maintenance of its mobile app, including:
- Overriding the default SSL certificate validation settings provided by the iOS and Android application programming interfaces (APIs) without implementing other security measures to compensate for the lack of SSL certificate validation;
- Failing to appropriately test, audit, assess, or review the apps, including failing to ensure that the transmission of sensitive personal information was secure;
- Failing to maintain an adequate process for receiving and addressing security vulnerability reports from third parties (Fandango only); and
- Failing to reasonably and appropriately oversee its service providers’ security practice (Credit Karma only).