The industry for mobile applications is growing rapidly. As companies and independent developers look to gain—or strengthen—footholds in this competitive space, the Federal Trade Commission (FTC) asks, “…is security keeping up” with mobile application companies’ public assurances of safety? The potential pitfalls of overpromising and underperforming when it comes to mobile application security are highlighted in the recent Credit Karma and Fandango FTC settlements.
In each of the Credit Karma and Fandango cases, the FTC charged the companies with misleading the public by assuring consumers that their respective mobile applications were safe, when in fact the mobile apps left “consumers’ sensitive personal information at risk” by failing to implement industry standard safety measures. The FTC alleged that Credit Karma and Fandango disabled the Secured Sockets Layer (“SSL”) encryption in their mobile applications. SSL is the de facto standard for secure Internet communications, which provides end-to-end security against active, man-in-the-middle attacks. Without such encryption, any communication transmitted through a mobile application can be intercepted by an outside attacker—a vulnerability of particular concern when a mobile application’s communications are transmitted over public Wi-Fi networks. A basic systems test would have revealed that the SSL was not functioning in either Fandango or Credit Karma’s systems.
The FTC settlement required each of Credit Karma and Fandango to “establish comprehensive security programs designed to address security risks during the development of their applications and to undergo independent security assessments every other year for the next 20 years.” Additionally, the FTC prohibited each company from misrepresenting their security measures to the users of their mobile applications.
What constitutes a “comprehensive security program?” Each mobile application presents its own risk profile. A good starting point for accessing public responsibility in mobile application security is the FTC Business Center. Here, the FTC makes available a wealth of data security information, addressing requirements for truthful mobile application marketing, guidelines and tips for accessing and maintaining mobile application security and protection of consumer personally identifiable information.
Additionally, the Open Web Application Security Project (OWASP) maintains the OWASP Top Ten, which is a security document, produced by a group of leading security experts. The OWASP Top Ten is a non-profit global community whose purpose is to assist organizations develop, and maintain, secure and trustworthy applications. In addition to presenting research and information applicable to application security threats, OWASP is also a useful source of open application security tools and standards.
Ultimately, there is no one-size-fits-all security program sure to address all potential risks: Individual security risk assessment, proportional mitigation measures and continued security system monitoring, together with truthful consumer disclosures, provide the best start to building an application consumers can trust.