Continuing a recent trend of enforcement actions stressing the importance of “adequate” testing for security flaws, the Federal Trade Commission (“FTC”) announced settlement agreements with Fandango and Credit Karma closing investigations of their mobile app security practices. The FTC alleged both companies failed to take low-cost, widely accepted measures to ensure that the SSL connections they used to secure transmissions including customers’ sensitive personal information were validated, leaving customers vulnerable to attacks from individuals positioning themselves between the customers’ devices and a companies’ servers (“man-in-the-middle” attacks).
The SSL protocol does not prevent a “man-in-the-middle” attack unless the application has validated the SSL certificate presented by the company. The Commission explained that mobile operating systems provide SSL validation tools to developers and that developers “can easily test for and identify SSL certificate validation vulnerabilities using free or low-cost, publicly available tools.”
The Credit Karma complaint alleged that SSL validation was disabled in the course of testing the app, and accidentally not re-enabled. The FTC claimed the company could have prevented this vulnerability by performing an adequate security review before launch. The Commission also alleged that, after becoming aware of the vulnerability in its iOS app, the company should have tested its Android app for similar vulnerabilities. Finally, the FTC claimed the company failed to take adequate steps to oversee its service providers’ security practices.
The Fandango complaint alleged that the company’s app did not validate SSL certificates from its launch in March 2009 until the company was contacted by FTC staff in March 2013. The FTC claimed that the company did not conduct regular audits to ensure that its app was transmitting information securely. The Commission also alleged that the company ignored a security researcher’s report of the vulnerability because its reporting system was improperly designed.
The FTC’s complaints stop short of declaring that apps must implement SSL when they transmit or receive users’ sensitive personal information. But in these cases the FTC is taking the position that apps must implement some measures to prevent “man-in-the-middle” attacks, and must ensure those measures work properly by conducting regular testing and responding to vulnerability reports from third parties.
