FTC Announces Mobile App Security Consent Decrees

Mobile App Vulnerability Leads to Consent Decree

Fandango and Credit Karma have agreed to consent decrees with the FTC to settle charges that they misrepresented the security of their mobile apps and failed to secure the transmission of millions of consumers’ sensitive personal information from their mobile apps.

The FTC alleged that, despite their security promises, Fandango and Credit Karma failed to take reasonable steps to secure their mobile apps, leaving consumers’ sensitive personal information at risk. Among other things, the complaints charge that Fandango and Credit Karma disabled a critical default process, known as SSL certificate validation, which would have verified that the apps’ communications were secure.

As a result, the companies’ applications were vulnerable to “man-in-the-middle” attacks, which would allow an attacker to intercept any of the information the apps sent or received. This type of attack is especially dangerous on public Wi-Fi networks such as those at coffee shops, airports and shopping centers.

“Consumers are increasingly using mobile apps for sensitive transactions. Yet research suggests that many companies, like Fandango and Credit Karma, have failed to properly implement SSL encryption,” said FTC Chairwoman Edith Ramirez. “Our cases against Fandango and Credit Karma should remind app developers of the need to make data security central to how they design their apps.”

To help secure sensitive transactions, mobile operating systems, including iOS and Android, provide app developers with tools to implement an industry standard known as Secure Sockets Layer, or SSL. If properly implemented, SSL secures an app’s communications and ensures that an attacker cannot intercept the sensitive personal information a consumer submits through an app.

The FTC explained

By overriding the default validation process, Fandango undermined the security of ticket purchases made through its iOS app, exposing consumers’ credit card details, including card number, security code, zip code, and expiration date, as well as consumers’ email addresses and passwords. Similarly, Credit Karma’s apps for iOS and Android disabled the default validation process, exposing consumers’ Social Security Numbers, names, dates of birth, home addresses, phone numbers, email addresses and passwords, credit scores, and other credit report details such as account names and balances.

The settlements with Fandango and Credit Karma are part of the FTC’s ongoing effort to ensure thatcompanies secure the applications they develop and keep their privacy promises to consumers. The FTC has also created a guide to help consumers understand how to stay secure when using public WiFi connections.

In a separate blog post, the FTC offered the following guidance:

1.  Exercise extreme care when modifying security defaults.  Had the companies left well enough alone, the security defaults of the operating systems would have protected consumers’ personal information from man-in-the-middle attacks.  Of course, we’re not saying it’s always illegal to modify a default setting.  In fact, there are ways you can go above and beyond the default SSL certificate validation by implementing an even stronger authentication method known as “certificate pinning.”  But modifying security defaults is the brain surgery of app development.  Companies need to be darn sure they know what they’re doing.

2.  Test your app thoroughly before releasing it.  Carpenters have an old adage:  “Measure twice, cut once.”  The corollary for app developers:  Take advantage of readily available free or low-cost methods for testing the security of your apps before you put them into consumers’ hands.

3.  Consider how people will use your apps.  There’s a reason why SSL is so important in the mobile environment and why the iOS and Android developer documentation makes such a big deal about it:  because people often use mobile apps on unsecured public Wi-Fi networks.  Like chess players, developers need to think a few moves ahead.  Before releasing an app, think through how people are likely to use it and secure it with those real-world considerations in mind.

4.  You’re responsible for what others do on your behalf.  According to the complaint, Credit Karma authorized a service provider to disable the SSL certificate validation process during pre-release testing, but didn’t see to it that the security settings were restored after that.  The first concern:  The testing could have been done without turning the defaults off.  But even so, it’s critically important that companies make sure everything is back in apple pie order before consumers get the app.

5.  Keep your ear to the ground.  There’s an active research community out there that shares information about potential security vulnerabilities.  But by responding to a serious warning with a standard “bedbug letter,” Fandango missed the opportunity to fix the problems.  Has a knowledgeable person contacted your company recently about a potential risk?  And is that message languishing unread in an email box?

6.  Consult available resources. The FTC brochure, Mobile App Developers: Start with Security, offers advice for companies about protecting against this type of vulnerability:

To protect users, developers often deploy SSL/TLS in the form of HTTPS. Consider using HTTPS or another industry-standard method. There’s no need to reinvent the wheel.  If you use HTTPS, use a digital certificate and ensure your app checks it properly. A no-frills digital certificate from a reputable vendor is inexpensive and helps your customers ensure they’re communicating with your servers, and not someone else’s.  But standards change, so keep an eye on current technologies, and make sure you’re using the latest and greatest security features.

Bookmark the FTC’s Privacy & Security page and consult other public sources for free information about developing safer apps.