When you encounter a website or mobile app that requires you to log in or register, do you use your social media account to do so? If you answered “yes,” you are part of a growing majority according to a Gigya survey, which found that social login use is on the rise as a result
FTC Settlement Requires Fandango and Credit Karma to Establish Comprehensive Security Programs to Protect Consumers’ Sensitive Personal Information
The Federal Trade Commission (“FTC”) has approved final orders settling charges against Fandango and Credit Karma that the companies misrepresented the security of their mobile apps and failed to protect the transmission of consumers’ sensitive personal information. The FTC specifically alleged that, although the companies made security promises to consumers that their information was adequately…
FTC Seeking Additional Public Comment on Mobile Security
Following up on a June 2013 forum on mobile security, the Federal Trade Commission (“FTC”) announced last week that it is seeking public comment to “expand the record on these issues with an eye towards [producing] a report.” As we previously reported, the FTC held a panel in June 2013 called “Mobile Security: Potential…
FTC Announces Settlements with Two Mobile App Providers
Today, the Federal Trade Commission announced settlements with two mobile app makers that allegedly failed to provide reasonable security for the personal information collected in connection with their apps. In complaints against Credit Karma, Inc. and Fandango LLC, the FTC alleged that both companies’ apps failed to validate SSL certificates, a security shortcoming that could have allowed an attacker to connect to the app—and collect unencrypted sensitive information—by presenting an invalid certificate. (This type of attack is sometimes called a “man-in-the-middle attack.”) Both respondents agreed to 20-year consent orders requiring, among other things, that they establish comprehensive information security programs.
These cases are important for a number of reasons: they reinforce past FTC guidance on the importance of performing security reviews and testing, overseeing service providers, and providing channels whereby security researchers can report vulnerabilities. But what might be most notable is that in neither case does the FTC specifically allege that the respondent’s practices were “unfair” within the meaning of the Section 5 of the FTC Act. Instead, both cases appear predicated upon the FTC’s authority to take actions against companies engaged in “deceptive” practices.…
Continue Reading FTC Announces Settlements with Two Mobile App Providers
HTC America’s Settlement with FTC Becomes Final
Yesterday, the FTC announced that it had approved a final order settling charges that HTC America failed to take reasonable steps to secure the software it developed for mobile devices. (We’ve previously blogged about the case here.) The FTC alleged that this failure amounted to an “unfair” practice in violation of Section 5 of…
FTC Holds Forum Addressing Mobile Security
By Chris Higby & Kurt Wimmer
Yesterday, the Federal Trade Commission held a forum on Mobile Security: Potential Threats and Solutions. The forum brought together academics, industry leaders, and security experts to discuss the security problems arising from the rapid adoption of mobile devices.
The first panel, consisting of security experts and researchers, gave a brief overview of mobile malware. They agreed that mobile malware infection rates are generally very low and that most malware accesses private information by using social engineering, rather than by exploiting technical flaws. Looking forward, Dan Guido, CEO of Trail of Bits, viewed the replacement of legitimate applications in app stores with malware versions as the most serious threat.
The second panel, consisting of security representatives from the major mobile operating systems (Microsoft’s Windows Phone, Google’s Android, Mozilla’s Firefox OS, Research In Motion’s BlackBerry, and Apple’s iOS), addressed how mobile platforms are designed with security in mind. Adrian Ludwig of Google advocated the use of install-time permissions, such as those found in Android, as a way to increase transparency to the user. However, both Adrian Stone of Blackberry and Geir Olsen of Microsoft expressed skepticism as to the effectiveness of permissions for the average user. Ludwig also criticized Apple’s approach of restricting users to “curated” app stores as a restriction on user choice.
Continue Reading FTC Holds Forum Addressing Mobile Security
FTC Announces Information about Upcoming Mobile Security Forum
Today, the Federal Trade Commission released the agenda and panelists for the public forum it is holding on mobile security, Mobile Security: Potential Threats and Solutions, on June 4, 2013. The forum will bring together technology researchers, industry members, and academics to explore mobile malware, the security of existing and developing mobile technologies, and…