LifeLock Kills Mobile Wallet App, Deletes User Data from Servers

After discovering that its mobile app was not fully compliant with PCI security standards, identity protection firm LifeLock said on Friday that it has pulled its mobile wallet application from popular app stores and was deleting user information stored for the mobile app from its servers.

“We have determined that certain aspects of the mobile app may not be fully compliant with payment card industry (PCI) security standards,” Todd Davis, Chairman and CEO of LifeLock, wrote in a security update on Friday. “For that reason, we are removing the LifeLock Wallet application from the App Store, Amazon Apps, and Google Play, and when users open the LifeLock Wallet, their information will be deleted in the app.” 

LifeLock’s Wallet application is based on technology gained from its December 2013 acquisition of Lemon, a digital wallet company that Lifelock bought for $42.6 million in cash.  

“Even though we have no reason to believe the data has been compromised, we believe this is the right thing to do,” Davis continued.

LifeLock told SecurityWeek that it voluntarily notified the FTC about the issue on Thursday.

In an effort to protect user privacy security, and The FTC has been targeting technology firms and companies offering mobile applications lately.

As SecurityWeek reported in March, the FTC has found itself challenged in keeping up with privacy implications with technology changing so rapidly. The agency even has a “mobile lab” where technicians and attorneys analyze how apps handle user data.

Earlier this year, Fandango and Credit Karma, two firms offering popular mobile applications, agreed to settle charges brought forth by the FTC over allegations that they failed to properly secure their apps and misrepresented the security of such apps to users.

The FTC alleged that Fandango and Credit Karma “failed to take reasonable steps to secure their mobile apps”, putting consumers at risk by failing to secure the transmission of millions of users’ sensitive personal information.

Specifically, the FTC accused the firms of disabling the SSL certificate validation process, making the apps vulnerable to Man-in-the-Middle (MitM) attacks, especially when connecting via public Wi-Fi networks. 

The FTC also fined Android flashlight app developer GoldenShores last year for not disclosing in its privacy policy that user data was being shared with an advertising network.

While the app will be unavailable for users for the time being, Davis said that LifeLock is working to make a Wallet that maintains “the highest level of PCI compliance” available to users soon.

“I want to make sure that when LifeLock Wallet is available again, you’ll know that you can download it, provide your personal information and use it again with confidence—knowing that it’s backed by an industry leader that is committed to doing the right thing and taking care of its customers.” 

*Updated with response from LifeLock.