Today, the Federal Trade Commission announced settlements with two mobile app makers that allegedly failed to provide reasonable security for the personal information collected in connection with their apps. In complaints against Credit Karma, Inc. and Fandango LLC, the FTC alleged that both companies’ apps failed to validate SSL certificates, a security shortcoming that could have allowed an attacker to connect to the app—and collect unencrypted sensitive information—by presenting an invalid certificate. (This type of attack is sometimes called a “man-in-the-middle attack.”) Both respondents agreed to 20-year consent orders requiring, among other things, that they establish comprehensive information security programs.
These cases are important for a number of reasons: they reinforce past FTC guidance on the importance of performing security reviews and testing, overseeing service providers, and providing channels whereby security researchers can report vulnerabilities. But what might be most notable is that in neither case does the FTC specifically allege that the respondent’s practices were “unfair” within the meaning of the Section 5 of the FTC Act. Instead, both cases appear predicated upon the FTC’s authority to take actions against companies engaged in “deceptive” practices.Continue Reading FTC Announces Settlements with Two Mobile App Providers