Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Mobile & Wireless

Firms Settle With FTC Over Failure to Use SSL Validation in Mobile Apps

Two firms offering popular mobile applications (apps) have agreed to settle charges brought forth by the Federal Trade Commission (FTC) over allegations that they failed to properly secure their apps and misrepresented the security of such apps to users, the FTC announced on Friday.

Two firms offering popular mobile applications (apps) have agreed to settle charges brought forth by the Federal Trade Commission (FTC) over allegations that they failed to properly secure their apps and misrepresented the security of such apps to users, the FTC announced on Friday.

The FTC alleged that Fandango and Credit Karma “failed to take reasonable steps to secure their mobile apps”, putting consumers at risk by failing to secure the transmission of millions of users’ sensitive personal information.

Specifically, the FTC’s complaint alleges that both firms disabled the SSL certificate validation process, making the applications vulnerable to Man-in-the-Middle (MitM) attacks, especially when connecting via public Wi-Fi networks.

“Consumers are increasingly using mobile apps for sensitive transactions. Yet research suggests that many companies, like Fandango and Credit Karma, have failed to properly implement SSL encryption,” said FTC Chairwoman Edith Ramirez. “Our cases against Fandango and Credit Karma should remind app developers of the need to make data security central to how they design their apps.”

When properly implemented, SSL secures an app’s communications and helps ensure that an attacker cannot intercept data being sent through a mobile app.

“By overriding the default validation process, Fandango undermined the security of ticket purchases made through its iOS app, exposing consumers’ credit card details, including card number, security code, zip code, and expiration date, as well as consumers’ email addresses and passwords,” the FTC said. “Similarly, Credit Karma’s apps for iOS and Android disabled the default validation process, exposing consumers’ Social Security Numbers, names, dates of birth, home addresses, phone numbers, email addresses and passwords, credit scores, and other credit report details such as account names and balances.”

Fandango’s Movie app for iOS allows consumers to buy movie tickets and view show times, trailers, and reviews from their mobile device, while Credit Karma’s Mobile app for iOS and Android lets consumers monitor their credit and financial status.

According to the FTC’s complaint, from March 2009 until February 2013, Fandango’s iOS app disabled SSL certificate validation, despite assuring consumers that their credit card information was stored and transmitted securely during the checkout process.

The complaint alleges that Fandango could have easily tested for and prevented the vulnerability, but failed to perform the basic security checks that would have caught the issue.

Additionally, the complaint charges that Fandango failed to have an adequate process for receiving vulnerability reports from security researchers and other third parties.

In its complaint, the FTC alleges that Credit Karma assured consumers that the company followed “industry-leading security precautions,” including the use of SSL to secure consumers’ information.

Despite these promises, the company disabled SSL certificate validation and left consumers that used its credit-monitoring app vulnerable to man-in-the-middle attacks. Despite being warned about the vulnerability in its iOS app, Credit Karma failed to test its Android app before launch. As a result, one month after receiving a warning about the issue, the company released its Android app with the very same vulnerability, the FTC said.

According to the FTC, the settlements “require Fandango and Credit Karma to establish comprehensive security programs designed to address security risks during the development of their applications and to undergo independent security assessments every other year for the next 20 years.”

The agreements will be subject to public comment through April 28, 2014, after which the Commission will decide whether to make the proposed consent orders final.

SSL Validation was recently a hot topic when Apple released a patch to address a dangerous SSL Validation flaw that affected a majority of its products, including iOS, Apple TV and even Mac OS X. 

Those Interested in submitting comments to the FTC on the Fandango settlement can do so here and the Credit Karma settlement here

When the Commission issues a consent order on a final basis, it carries the force of law with respect to future actions. Each violation of such an order may result in a civil penalty of up to $16,000.

Written By

For more than 10 years, Mike Lennon has been closely monitoring the threat landscape and analyzing trends in the National Security and enterprise cybersecurity space. In his role at SecurityWeek, he oversees the editorial direction of the publication and is the Director of several leading security industry conferences around the world.

Click to comment

Expert Insights

Related Content

Network Security

NSA publishes guidance to help system administrators identify and mitigate cyber risks associated with transitioning to IPv6.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.

Mobile & Wireless

Two vulnerabilities in Samsung’s Galaxy Store that could be exploited to install applications or execute JavaScript code by launching a web page.

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Cyberwarfare

Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Cybercrime

A digital ad fraud scheme dubbed "VastFlux" spoofed over 1,700 apps and peaked at 12 billion ad requests per day before being shut down.