The Legal Implications of Security for Mobile Apps
Smartphone and tablet applications, often known as mobile apps, can be a valuable tool for extending product offerings and for creating new business opportunities, but they also present a new type of security risk for a company and its customers. Although there is less media attention on mobile apps than on point-of-sale devices used to process credit cards in the retail industry, they can each put consumer data at risk. Because of the risk to consumers, mobile apps are likely to receive increased scrutiny from regulators, government agencies, and consumers.
A Closer Look at Fandango and Credit Karma
The Federal Trade Commission’s recent settlements with Fandango, LLC and Credit Karma, Inc. illustrate the potential security problems with mobile apps. Fandango sells movie tickets and Credit Karma enables users to access credit scores and credit reports. Each company had a mobile app that processed certain types of sensitive information. Fandango’s mobile app transmitted credit card information and Credit Karma’s mobile app transmitted social security numbers and other personal identifying information. During the development process of each mobile app, developers turned off Secure Socket Layer (SSL) certificate validation. SSL establishes an encrypted connection between a mobile app and an online service (such as Fandango’s and Credit Karma’s websites). It is important for a mobile app to validate SSL certificates because without validation, a third party can easily pose as a legitimate website to obtain a user’s unencrypted data. SSL certificate validation is a default setting, but Credit Karma and Fandango made the mobile apps available to the public with SSL certificate validation disabled, thereby reducing the security protection for people using the apps. Thus, although Credit Karma and Fandango used SSL to encrypt user data, their failure to validate SSL certificates created a high risk that a third party could access that data in an unencrypted format that could put users at risk of identity theft.
Credit Karma and Fandango, according to the Federal Trade Commission, failed to provide reasonable security for the mobile apps for three reasons each. The first two elements of each finding were similar. First, both companies overrode the default SSL certificate validation, enabling third parties to more easily obtain sensitive customer data that is not encrypted. Second, neither company properly tested, audited, assessed, or reviewed the mobile apps to ensure that they were secure. Notably, although Fandango had performed limited security reviews of the mobile app in previous years, the Federal Trade Commission found that the reviews were not sufficiently broad and did not confirm that credit card information was transmitted securely.
The third element of the Federal Trade Commission’s findings of unsecured practices differed between the two companies. Credit Karma had engaged third party developers, but the Federal Trade Commission determined that it did not perform proper oversight of its contractors to ensure they were complying with secure practices. Fandango did not establish a feedback mechanism for third parties to provide notice about security failures that would directly notify developers or a security team for review.
It is important to note that the Federal Trade Commission’s actions were not prompted by a data breach. The Federal Trade Commission asserted that each company’s security failures alone constituted unfair or deceptive practices. A failure to implement a secure process, even if there is never a breach, can trigger a Federal Trade Commission investigation and action.
Mobile App Developers: Start With Security
Accordingly, companies must account for security issues in developing mobile apps. In the initial development process, a company must consider what type of data it will collect and how the data will be processed and stored. It is much easier and faster to consider these issues at the beginning than to focus solely on developing the functionality of a mobile app and then to raise security concerns shortly before the mobile app is being ready to be released. By identifying mobile app security issues and mobile app security risks at the development phase, developers can design the mobile app with the goal of achieving security and functionality.
In developing a mobile app, a useful reference to review is the Federal Trade Commission’s guidance Mobile App Developers: Start with Security. Some tips relate to the development process in a general matter, such as “Make someone responsible for security.” Other tips provide concrete recommendations, such as “Don’t store passwords in plaintext.” Although this guidance does not establish legal requirements, it seems likely that the Federal Trade Commission will compare a company’s practices against this guidance to determine whether they maintained adequate security practices with respect to their mobile apps.
Like all other security initiatives, mobile data security starts at the top of the organization. If executives make mobile app security a high priority, the development team will have the support it needs to incorporate appropriate security measures into the app prior to its release. On the other hand, without buy-in from top executives, the priority could shift to a quick release at the expense of important and appropriate security considerations. As mobile apps become more prevalent, there are likely to be more mobile application security risks and attacks against them. By recognizing the importance of mobile app security and following the Federal Trade Commission’s guidance, companies will be in a better position to protect customers and their data. To learn more about securing mobile apps, reach out to Vestige Ltd!
By Gregory Stein, BA, MBA, JD, CIPP / US, CIPM
Attorney at Law