FTC Mobile App Security Actions Bring SSL to the Fore
The FTC’s settlements with two mobile apps for misrepresenting their data security measures focused on Secure Sockets Layer (SSL), according to a Friday release (http://1.usa.gov/1lroHC0). SSL is an industry standard that mobile operating systems, such as iOS and Android, provide to app developers to secure transactions with sensitive data, the FTC said. While the FTC’s complaints against the two companies -- movie ticket seller Fandango and credit score monitor Credit Karma -- cited several security shortcomings, the SSL certificate got prominent billing.
Sign up for a free preview to unlock the rest of this article
Timely, relevant coverage of court proceedings and agency rulings involving tariffs, classification, valuation, origin and antidumping and countervailing duties. Each day, Trade Law Daily subscribers receive a daily headline email, in-depth PDF edition and access to all relevant documents via our trade law source document library and website.
Industry representatives disagreed over the message the settlements sent. Association for Competitive Technology (ACT) Executive Director Morgan Reed said the action reiterated the growing desire among consumers, industry and regulators for encryption of any kind. “This is about making sure you're providing robust, end-to-end encryption to the best of your ability,” he said. ACT works with small- and mid-sized app developers to help them comply with government regulations. Others worried the action indicated a mandate for companies to use SSL, which some consider a fairly advanced security measure that’s not widely used. It’s “a shot across the bow,” as one industry official put it, to all mobile app developers not using SSL.
A disabled SSL certificate is the first “security failure” cited in both complaints (Fandango: http://1.usa.gov/O6pZ6M; Credit Karma: http://1.usa.gov/1f19QtS). FTC Chairwoman Edith Ramirez also singled it out when announcing the settlements. “Consumers are increasingly using mobile apps for sensitive transactions,” she said. “Yet research suggests that many companies, like Fandango and Credit Karma, have failed to properly implement SSL encryption.” It’s the first time the FTC has been so explicit about a particular type of cybersecurity measure, said an industry representative. “I think it’s new,” but not unique, said Reed. The FTC has been clear about its “privacy by design” belief, he said.
The FTC has brought only one previous mobile security case, said an FTC spokesman -- a February 2013 complaint against mobile phone manufacturer HTC America (http://1.usa.gov/1dUUPpU). The commission alleged the company was introducing security flaws into its products that exposed sensitive data but did not mention SSL or mobile app development specifically.
The FTC considers its other mobile app complaints -- a December case against the Brightest Flashlight Free app and a Children’s Online Privacy and Protection Act (COPPA) complaint against social networking app Path -- more about mobile privacy than mobile data security, the FTC spokesman said. In the December case, the FTC alleged the flashlight app, made by Goldenshores, was misleading users about how geolocation data would be shared with third parties. In announcing that settlement, FTC Bureau of Consumer Protection Director Jessica Rich concentrated her statement on giving consumers “a real, informed choice” about how their data is being collected. Friday, Ramirez instead highlighted app design in her comments. “Our cases against Fandango and Credit Karma should remind app developers of the need to make data security central to how they design their apps."
ACT advises app developers to “do the right things” and follow the security measures presented to them, whether that’s SSL or something else, Reed said. “That’s what burned” both Fandango and Credit Karma, he said. In the Credit Karma complaint, the FTC said even after the company addressed the disabled SSL certificate in February, it then released an Android version of its app with the same unvalidated SSL certificate. According to the complaints, both companies have since addressed their SSL deficiencies.
But a very large part of the mobile app market is lacking when it comes to SSL certificates, according to some research. In January, security firm IOActive found 40 percent of major banking apps for the iPhone “did not validate the authenticity of SSL certificates presented” (http://bit.ly/1eKuJXw). And others in the industry were critical of SSL’s security value. In February, Apple had to release a patch to correct an SSL bug in its operating system (http://bit.ly/MhrCNZ).
The merits of Apple’s SSL is irrelevant to the FTC’s announcement, Reed said. “There’s no perfect excalibur when it comes to encryption,” he said. “This about making sure you're doing the right thing, and if you're doing encryption, making sure you're doing it the right way.”