Two firms offering popular mobile applications (apps) have agreed to settle charges brought forth by the Federal Trade Commission (FTC) over allegations that they failed to properly secure their apps and misrepresented the security of such apps to users, the FTC announced on Friday.
The FTC alleged that Fandango and Credit Karma “failed to take reasonable steps to secure their mobile apps”, putting consumers at risk by failing to secure the transmission of millions of users’ sensitive personal information.
Specifically, the FTC’s complaint alleges that both firms disabled the SSL certificate validation process, making the applications vulnerable to Man-in-the-Middle (MitM) attacks, especially when connecting via public Wi-Fi networks.
“Consumers are increasingly using mobile apps for sensitive transactions. Yet research suggests that many companies, like Fandango and Credit Karma, have failed to properly implement SSL encryption,” said FTC Chairwoman Edith Ramirez. “Our cases against Fandango and Credit Karma should remind app developers of the need to make data security central to how they design their apps.”
When properly implemented, SSL secures an app’s communications and helps ensure that an attacker cannot intercept data being sent through a mobile app.
“By overriding the default validation process, Fandango undermined the security of ticket purchases made through its iOS app, exposing consumers’ credit card details, including card number, security code, zip code, and expiration date, as well as consumers’ email addresses and passwords,” the FTC said. “Similarly, Credit Karma’s apps for iOS and Android disabled the default validation process, exposing consumers’ Social Security Numbers, names, dates of birth, home addresses, phone numbers, email addresses and passwords, credit scores, and other credit report details such as account names and balances.”
Fandango’s Movie app for iOS allows consumers to buy movie tickets and view show times, trailers, and reviews from their mobile device, while Credit Karma’s Mobile app for iOS and Android lets consumers monitor their credit and financial status.
According to the FTC’s complaint, from March 2009 until February 2013, Fandango’s iOS app disabled SSL certificate validation, despite assuring consumers that their credit card information was stored and transmitted securely during the checkout process.
The complaint alleges that Fandango could have easily tested for and prevented the vulnerability, but failed to perform the basic security checks that would have caught the issue.
Additionally, the complaint charges that Fandango failed to have an adequate process for receiving vulnerability reports from security researchers and other third parties.
In its complaint, the FTC alleges that Credit Karma assured consumers that the company followed “industry-leading security precautions,” including the use of SSL to secure consumers’ information.
Despite these promises, the company disabled SSL certificate validation and left consumers that used its credit-monitoring app vulnerable to man-in-the-middle attacks. Despite being warned about the vulnerability in its iOS app, Credit Karma failed to test its Android app before launch. As a result, one month after receiving a warning about the issue, the company released its Android app with the very same vulnerability, the FTC said.
According to the FTC, the settlements “require Fandango and Credit Karma to establish comprehensive security programs designed to address security risks during the development of their applications and to undergo independent security assessments every other year for the next 20 years.”
The agreements will be subject to public comment through April 28, 2014, after which the Commission will decide whether to make the proposed consent orders final.
SSL Validation was recently a hot topic when Apple released a patch to address a dangerous SSL Validation flaw that affected a majority of its products, including iOS, Apple TV and even Mac OS X.
Those Interested in submitting comments to the FTC on the Fandango settlement can do so here and the Credit Karma settlement here.
When the Commission issues a consent order on a final basis, it carries the force of law with respect to future actions. Each violation of such an order may result in a civil penalty of up to $16,000.
Managing Editor, SecurityWeek.Previous Columns by Mike Lennon:Responding to Lawsuit, Trustwave Says Did Not Monitor Targets NetworkFirms Settle With FTC Over Failure to Use SSL Validation in Mobile AppsFireEye Report Analyzes Zero-day Attacks of 2013Google Says Public DNS Intercepted by ISPs in TurkeyRapid7 Pushes Defense Prioritization, Segmentation Testing In Latest Product Updates
Tags: Mobile Security