Fandango and Credit Karma: First FTC mobile security-by-design settlements
“Consumers are increasingly using mobile apps for sensitive transactions. Yet research suggests that many companies, like Fandango and Credit Karma, have failed to properly implement SSL encryption,” said FTC Chairwoman Edith Ramirez in the settlement press release. “Our cases against Fandango and Credit Karma should remind app developers of the need to make data security central to how they design their apps.”
On March 2014, Fandango and Credit Karma agreed to settle Federal Trade Commission (FTC) charges that they misrepresented the security of their mobile apps and failed to secure the transmission of millions of consumers’ sensitive personal information from their mobile apps. The main issued raised by the FTC was that Fandango and Credit Karma disabled the SSL certificate validation, which left consumers that used the app exposed to man-in-the-middle attacks.
To help secure sensitive transactions, mobile operating systems, including iOS and Android, provide app developers with tools to implement an industry standard known as Secure Sockets Layer, or SSL. If properly implemented, SSL secures an app’s communications and ensures that an attacker cannot intercept the sensitive personal information a consumer submits through an app. By overriding the default validation process, the security…
