In December 2018, the New York Attorney General’s Office announced settlements with five companies operating mobile apps, including Equifax and Western Union. The N.Y. Attorney General stated that the companies failed to keep sensitive information secure on their mobile apps and have agreed to implement improved security controls. The settlements came following a data privacy initiative by the Attorney General’s Office to proactively identify security vulnerabilities before consumer information is breached. As part of this effort, the Attorney General’s Office tested dozens of mobile apps that collect sensitive information.
Under the settlements, the apps were found to contain a known security vulnerability that “could have allowed sensitive information entered by users – such as passwords, social security numbers, credit card numbers, and bank account numbers – to be intercepted and viewed by eavesdroppers employing simple and well-publicized techniques,” for example a “man-in the-middle” attack.
The N.Y. Attorney General concluded that the mobile apps failed to deploy HTTPS, one of the most widely recognized security measures, which uses “Transport Layer Security” (TLS) certificates to establish an encrypted connection between a server and a client (e.g., mobile app or web browser). The TLS certificates protect data transmitted so that eavesdroppers cannot obtain or alter any of the information – especially important when dealing with sensitive personal and financial data – and can be used to effectively counter man-in-the-middle attacks. While users on a web browser can often see whether HTTPS is being employed by looking for a green padlock in the URL window, mobile app users are often unaware of the privacy and data integrity controls in place when they enter information.
Furthermore, the N.Y. Attorney General stated that “certain versions of the companies’ apps all failed to properly authenticate the SSL/TLS certificates they received. As a result, an attacker could have impersonated the companies’ servers and intercepted information entered into the app by the user. With this information, an attacker could commit various forms of identity theft and fraud, including credit card fraud.”
The settlements require each company to implement comprehensive security programs to better protect user data and address known security vulnerabilities. No monetary fines were assessed against the companies.
Moreover, the settlements serve as an important reminder for app developers and operators to continually test their apps for security vulnerabilities and design apps with security in mind – ensuring that sensitive information is protected both in transmission and at rest. The FTC, which previously brought similar enforcement actions against Fandango and Credit Karma, issued helpful guidance on mobile app security in May 2017, App Developers: Start with Security.