The Federal Trade Commission (“FTC”) has settled with two mobile application developers, Fandango and Credit Karma, over charges that they misrepresented the security of their mobile applications. According to the FTC, the developers failed to provide reasonable and appropriate security when their mobile applications transmitted consumers’ sensitive information. The particular issues noted by the FTC in its complaints against the developers differ to some degree, but the complaints share a common thread: the FTC alleges that the developers claimed to transmit sensitive data securely but disabled the Secure Sockets Layer (SSL) protocol, which authenticates and encrypts communications across networks.
Both developers have agreed to not misrepresent the privacy or security of their products and services and to establish comprehensive security programs that address security risks associated with the development and management of their products and services. Those security programs will be subject to independent, biannual assessments over the next two years. In the remainder of this post, we provide a high-level description of how SSL works, summarize the FTC’s complaints against Fandango and Credit Karma, and identify some important takeaways from these settlements.
These settlements are yet another indication that the FTC is paying keen attention to mobile issues. Businesses using SSL or that have a stake in the mobile ecosystem would be prudent to evaluate whether their security and privacy practices align with the FTC’s expectations and seek counsel as appropriate.
How SSL Works
The SSL protocol is a common method to establish authenticated and encrypted connections over networks. To establish such connections, SSL relies on a “digital handshake” facilitated by the exchange of small data files called “SSL certificates.” In the context of mobile applications:
- An application first requests a secure connection with an online service.
- The service then returns to the application an SSL certificate.
- The application confirms that the certificate was issued by a trusted party (e.g., the developer of the mobile application).
- The application and the online service then exchange cryptographic keys to enable encrypted communications.
SSL protocol reduces the likelihood of “man-in-the-middle” attacks, where attackers insert themselves in between mobile applications and online services and connect with the application to monitor or alter communications. The iOS and Android operating systems allow applications to create secure connections via SSL, and both systems enable SSL validation by default.
The FTC’s Allegations Against Fandango
Fandango offers a website and mobile applications (including iOS and Android versions) that consumers can use to view movie showtimes, trailers, and reviews, and to purchase tickets. When purchasing tickets, consumers can pay by credit card and save their credit card information on their mobile devices for future transactions. When consumers purchase tickets via the mobile application, the application transmits credit card information to Fandango’s servers.
Fandango offered the following statements to consumers:
Your Fandango iPhone Application allows you to store your credit card and Fandango account information on your device so you can conveniently purchase movie tickets. Your information is securely stored on your device and transferred with your approval during each transaction.
You don’t need an account to securely purchase tickets.
The FTC claims that, between March 2009 and March 2013, Fandango overrode iOS defaults and disabled SSL certification. The FTC also alleges that Fandango’s security audits did not address whether transmissions of credit card information were secure and that the company’s process for receiving vulnerability reports did not appropriately escalate a 2012 report that the lack of SSL certification made the application vulnerable to man-in-the-middle attacks. According to the FTC, those practices did not conform to the statements Fandango made about its security practices.
The FTC’s Allegations Against Credit Karma
Credit Karma offers a website and mobile application that consumers can use to monitor, evaluate, and manage their credit statuses. The Android and iOS versions of Credit Karma’s mobile application allow consumers to access their credit scores and credit score histories, view summaries of the accounts listed on their credit reports, and receive notice about credit report changes. When consumers establish accounts through the mobile application, they share their names, contact information, passwords, security questions and answers, and Social Security numbers.”
Credit Karma made the following statements to consumers:
We secure your information with bank-level VeriSignTM certified 128-bit SSL encryption.
We enable our servers with Secure Socket Layer (SSL) technology to establish a secure connection between yourcomputer and our servers, creating a private session.
The FTC claims that, between July 2012 and January 2013, Credit Karma’s mobile application for iOS disabled SSL certification. Credit Karma allegedly disabled the protocol during testing of the application and failed to enable the protocol prior to issuing the production version. A user informed Credit Karma of the vulnerability in January 2013, and Credit Karma addressed the vulnerability that month. However, one month later, Credit Karma launched the Android version of its application with SSL certification disabled.
The FTC also claims that the iOS version of the application insecurely stored authentication credentials on devices in spite of the fact that Credit Karma expected its application development provider to encrypt that information. According to the FTC, reasonable oversight of the developer’s practices and “basic, low-cost security reviews” would have prevented the vulnerabilities in Credit Karma’s applications. The FTC alleged that the failure to implement these security measures exposed consumers to potential identity theft and compromise of their personal information. Therefore, according to the FTC, Credit Karma misrepresented its security practices.
The FTC complaints reiterate security standards that the FTC believes companies should meet when stating that they handle consumers’ sensitive information securely:
- When security measures are circumvented or disabled during the application development process, make sure that those measures are restored prior to delivering applications to consumers. The failure to do this led Credit Karma and HTC to face FTC enforcement actions. In Credit Karma’s case, the company authorized the application development firm to disable SSL certification for testing only. But Credit Karma did not take steps to ensure that the protocol was re-enabled for consumer use.
- Implement appropriate processes for receiving and addressing security vulnerability reports from third parties. Last year, the FTC issued guidance for application developers which included the admonition, “You’re not done once you release your app. Stay aware and communicate with your users.” The FTC expects developers to stay abreast of evolving vulnerabilities. The FTC took issue with Fandango, HTC, and TRENDnet over their alleged failure to do so. In Fandango’s case, a third-party security researcher sent a message via Fandango’s Customer Service page that SSL certification was disabled. Because the message contained the word “password”, the system automatically identified the message as a password reset request, sent the researcher information about how to reset the password, and marked the ticket as “resolved.”
- Maintain reasonable oversight over service providers and vendors. Credit Karma and GMR Transcription Services both fell under FTC scrutiny for the alleged failure to do this. Credit Karma expected its application development firm to enable SSL certification for consumer versions of the app and encrypt sensitive information stored on mobile devices. The FTC claims that Credit Karma could have used “basic, low-cost” measures to determine whether the provider was meeting those expectations. GMR Transcription was accused of failing to adequately monitor whether an overseas service provider implemented reasonable security measures for medical transcripts.