Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Mobile & Wireless

Firms Settle With FTC Over Failure to Use SSL Validation in Mobile Apps

Two firms offering popular mobile applications (apps) have agreed to settle charges brought forth by the Federal Trade Commission (FTC) over allegations that they failed to properly secure their apps and misrepresented the security of such apps to users, the FTC announced on Friday.

Two firms offering popular mobile applications (apps) have agreed to settle charges brought forth by the Federal Trade Commission (FTC) over allegations that they failed to properly secure their apps and misrepresented the security of such apps to users, the FTC announced on Friday.

The FTC alleged that Fandango and Credit Karma “failed to take reasonable steps to secure their mobile apps”, putting consumers at risk by failing to secure the transmission of millions of users’ sensitive personal information.

Specifically, the FTC’s complaint alleges that both firms disabled the SSL certificate validation process, making the applications vulnerable to Man-in-the-Middle (MitM) attacks, especially when connecting via public Wi-Fi networks.

“Consumers are increasingly using mobile apps for sensitive transactions. Yet research suggests that many companies, like Fandango and Credit Karma, have failed to properly implement SSL encryption,” said FTC Chairwoman Edith Ramirez. “Our cases against Fandango and Credit Karma should remind app developers of the need to make data security central to how they design their apps.”

When properly implemented, SSL secures an app’s communications and helps ensure that an attacker cannot intercept data being sent through a mobile app.

“By overriding the default validation process, Fandango undermined the security of ticket purchases made through its iOS app, exposing consumers’ credit card details, including card number, security code, zip code, and expiration date, as well as consumers’ email addresses and passwords,” the FTC said. “Similarly, Credit Karma’s apps for iOS and Android disabled the default validation process, exposing consumers’ Social Security Numbers, names, dates of birth, home addresses, phone numbers, email addresses and passwords, credit scores, and other credit report details such as account names and balances.”

Fandango’s Movie app for iOS allows consumers to buy movie tickets and view show times, trailers, and reviews from their mobile device, while Credit Karma’s Mobile app for iOS and Android lets consumers monitor their credit and financial status.

According to the FTC’s complaint, from March 2009 until February 2013, Fandango’s iOS app disabled SSL certificate validation, despite assuring consumers that their credit card information was stored and transmitted securely during the checkout process.

Advertisement. Scroll to continue reading.

The complaint alleges that Fandango could have easily tested for and prevented the vulnerability, but failed to perform the basic security checks that would have caught the issue.

Additionally, the complaint charges that Fandango failed to have an adequate process for receiving vulnerability reports from security researchers and other third parties.

In its complaint, the FTC alleges that Credit Karma assured consumers that the company followed “industry-leading security precautions,” including the use of SSL to secure consumers’ information.

Despite these promises, the company disabled SSL certificate validation and left consumers that used its credit-monitoring app vulnerable to man-in-the-middle attacks. Despite being warned about the vulnerability in its iOS app, Credit Karma failed to test its Android app before launch. As a result, one month after receiving a warning about the issue, the company released its Android app with the very same vulnerability, the FTC said.

According to the FTC, the settlements “require Fandango and Credit Karma to establish comprehensive security programs designed to address security risks during the development of their applications and to undergo independent security assessments every other year for the next 20 years.”

The agreements will be subject to public comment through April 28, 2014, after which the Commission will decide whether to make the proposed consent orders final.

SSL Validation was recently a hot topic when Apple released a patch to address a dangerous SSL Validation flaw that affected a majority of its products, including iOS, Apple TV and even Mac OS X. 

Those Interested in submitting comments to the FTC on the Fandango settlement can do so here and the Credit Karma settlement here

When the Commission issues a consent order on a final basis, it carries the force of law with respect to future actions. Each violation of such an order may result in a civil penalty of up to $16,000.

Written By

For more than 15 years, Mike Lennon has been closely monitoring the threat landscape and analyzing trends in the National Security and enterprise cybersecurity space. In his role at SecurityWeek, he oversees the editorial direction of the publication and is founder and director of several leading cybersecurity industry conferences around the world.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Discover strategies for vendor selection, integration to minimize redundancies, and maximizing ROI from your cybersecurity investments. Gain actionable insights to ensure your stack is ready for tomorrow’s challenges.

Register

Dive into critical topics such as incident response, threat intelligence, and attack surface management. Learn how to align cyber resilience plans with business objectives to reduce potential impacts and secure your organization in an ever-evolving threat landscape.

Register

People on the Move

Stephanie Crowe has been appointed head of the Australian Cyber Security Centre (ACSC).

Cloud security giant Wiz has named Fazal Merchant as President and Chief Financial Officer.

Cybersecurity and data protection company Acronis has appointed Gerald Beuchelt as CISO.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.