Whether you’re checking your credit score while waiting for a flight or buying movie tickets while on your way to the theater, the last thing you are probably worried about is what kind of security tests your smartphone apps’ developers ran a year ago. If an established, well-publicized, highly rated app with millions of downloads and prominent data protection promises can’t be trusted to secure your information, after all, who can? And if your data is intercepted, it must be through some new, highly advanced cyber-attack, right? You might be surprised—or then again, maybe not.
The Federal Trade Commission (FTC) has recently announced settlements with both Fandango and Credit Karma, whose smartphone apps contained the same critical security flaw: a failure to validate Secure Socket Layer (SSL) certificates, one of the most basic and well-established security practices out there. As the FTC put it, quoting the Android app developer guide, “An app that doesn’t validate SSL certificates ‘might as well not be encrypting communication, because anyone can attack users at a public WiFi hot spot … (and) the attacker can then record passwords and personal data.’” If apps as popular and established as Fandango and Credit Karma can have such glaring vulnerabilities—and they are far from alone—consumers might be wary of sending sensitive information over their apps.
As a result of the FTC’s enforcement action, it’s not just consumers who need to pay close attention to data security practices. FTC Chairwoman Edith Ramirez warned, “Our cases against Fandango and Credit Karma should remind app developers of the need to make data security central to how they design their apps.” To help businesses and practitioners minimize their own regulatory surprises, the IAPP Westin Research Center presents the following in-depth case overview of the Credit Karma and Fandango cases. For more analysis of FTC enforcement actions, visit the IAPP Westin Research Center’s FTC Privacy Casebook: First Look.
Read More By Kelsey Finch:
The Evolving Nature of Consumer Privacy Harm
Cookie Monsters of Silicon Valley Come to Brussels
FTC v. Wyndham: Round One
Straight from the Pacific Ocean: A Tidal Wave of California Privacy Laws