In August 2014, the Federal Trade Commission (“FTC”) approved final orders resolving its actions against Fandango, LLC (“Fandango”) and Credit Karma, Inc. (“Credit Karma”) for allegedly misrepresenting the security of their mobile apps to customers because of alleged security flaws in both mobile applications. Companies can look to the complaints and settlement orders for guidance in implementing security measures for their own mobile apps.
The FTC’s complaints alleged that the companies’ mobile apps left customers’ sensitive personal information, including credit card information and Social Security numbers, vulnerable to interception by outside parties because the companies’ allegedly disabled the Secure Socket Layer (“SSL”) certificate verification process in their mobile apps. An SSL certificate is a protocol used to establish authentic encrypted connections. SSL protocol is considered by some to be an industry standard for mobile applications due to the frequency with which mobile users connect to the internet through public Wi-Fi. When a mobile app connects to an online service, the service presents an SSL certificate to the device to authenticate its identity. Once the app validates the SSL certificate, an encrypted connection is established with the app so that a customer can send information to the service securely. SSL certificates protect applications from “man-in-the-middle” attacks, where an attacker could use invalid certificates to intercept the connection between the app and the online service and obtain personal information transmitted by the user of the app to the online service. The Apple iOS and Android operating systems both use the SSL verification process by default and warn developers against disabling the defaults. Both Fandango’s and Credit Karma’s mobile apps contained in-app statements that customer information is transmitted or stored securely by the companies’ apps. The FTC’s complaints alleged that Fandango and Credit Karma overrode the default SSL certificate validation settings without implementing alternative security measures to compensate for the lack of the SSL certificate validation, and, thus, misrepresented to customers the security of personal information transmitted or stored by the companies’ mobile apps.
The FTC also contended that both companies failed to appropriately test, audit, assess, or review their applications. For Fandango, the FTC also charged the company with allegedly failing to maintain an adequate process for receiving and addressing security vulnerability reports from third parties. According to the FTC, a security researcher had attempted to notify Fandango of its app’s potential vulnerability. However, Fandango’s general customer service system inadvertently treated the message as a password reset request. For Credit Karma, the FTC argued that it failed to adequately supervise the third party service provider (“TSP”) hired to develop the company’s mobile app. Credit Karma’s TSP had been allowed to override the SSL defaults for testing purposes but had failed to remove the bypass codes prior to launching the final version of the app. Although Credit Karma had contractually obligated the TSP to follow specific security measures, the contractual obligations did not protect Credit Karma from FTC action because, according to the FTC’s complaint, it could have ensured the mobile apps security by providing “reasonable oversight of its service providers and . . . performing an adequate security review of its application prior to launch.” (For additional guidance on the security obligations of third party service providers, see this earlier blog post). Thus, the FTC’s attention was not only on whether Fandango’s and Credit Karma’s mobile apps used SSL protocol but also on the procedures both companies had for ensuring the security of its mobile apps.
The FTC’s consent orders entered into with Fandango and Credit Karma prohibited both companies from misrepresenting the extent to which the companies’ products or services maintain and protect the privacy and security of customers’ personal information. The consent orders also required both companies to implement comprehensive security programs, which included steps to:
- Designate an employee or employees to coordinate and be accountable for an information security program.
- Identify internal and external risks to the security, confidentiality, and integrity of customers’ personal information in the companies’ possession or for which it has input into, or is stored on, captured with, accessed or transmitted through a computer using either companies’ products or services, and assess the sufficiency of any safeguards in place to control the risks.
- Consider risks in their operations including: (i) employee training and management, including training in secure engineering and defensive programming; (ii) product design and development; (iii) secure software design, development, and testing; (iv) review, assessment, and response to third-party security vulnerability reports; and (v) prevention, detection, and response to attacks, intrusions, or systems failures.
- Design and implement reasonable safeguards to control the risks identified through risk assessments, and perform regular testing or monitoring of the effectiveness of the safeguards’ key controls, systems, and procedures
- Develop and use reasonable steps to select TSPs capable of maintaining security practices consistent with those required of the companies in the FTC orders and to require TSPs by contract to implement and maintain such safeguards.
- Evaluate and adjust the companies’ security programs in light of the results of testing and monitoring, any material changes to operations or business arrangements, or any other circumstances that the companies know or have reason to know may have a material impact on effectiveness of the security programs.
The consent orders also required Fandango and Credit Karma to undergo independent security assessments every other year for the next 20 years.
In short, four key takeaways from these actions by the FTC are:
- Ensure that each company’s mobile application follows the standard SSL verification protocol or has an equivalent security measure.
- Maintain an appropriate audit and review process to ensure secure transmission of customers’ personal information by each company’s mobile application.
- Maintain an adequate process for receiving and reviewing security vulnerability reports from third parties.
- Ensure reasonable oversight of engaged TPSPs’ security practices.