Mobile Application: Security Best Practices


The industry for mobile applications is growing rapidly. As companies and independent developers look to gain—or strengthen—footholds in this competitive space, the Federal Trade Commission (FTC) asks, “… is security keeping up” with mobile application companies’ public assurances of safety? The potential pitfalls of overpromising and underperforming when it comes to mobile application security are highlighted in the recent Credit Karma and Fandango FTC settlements.

In each of the Credit Karma and Fandango cases, the FTC charged the companies with misleading the public by assuring consumers that their respective mobile applications were safe, when in fact the mobile apps left “consumers’ sensitive personal information at risk” by failing to implement industry standard safety measures. The FTC alleged that Credit Karma and Fandango disabled the Secured Sockets Layer (“SSL”) encryption in their mobile applications. SSL is the de facto standard for secure Internet communications, which provides end-to-end security against active, man-in-the-middle attacks. Without such encryption, any communication transmitted through a mobile application can be intercepted by an outside attacker—a vulnerability of particular concern when a mobile application’s communications are transmitted over public Wi-Fi networks. A basic systems test would have revealed that the SSL was not functioning in either Fandango or Credit Karma’s systems.

The FTC settlement required each of Credit Karma and Fandango to “establish comprehensive security programs designed to address security risks during the development of their applications and to undergo independent security assessments every other year for the next 20 years.” Additionally, the FTC prohibited each company from misrepresenting their security measures to the users of their mobile applications.

What constitutes a “comprehensive security program?” Each mobile application presents its own risk profile. A good starting point for accessing public responsibility in mobile application security is the FTC Business Center. Here, the FTC makes available a wealth of data security information, addressing requirements for truthful mobile application marketing, guidelines and tips for accessing and maintaining mobile application security and protection of consumer personally identifiable information.

Additionally, the Open Web Application Security Project (OWASP) maintains the OWASP Top Ten, which is a security document, produced by a group of leading security experts. The OWASP Top Ten is a non-profit global community whose purpose is to assist organizations develop, and maintain, secure and trustworthy applications. In addition to presenting research and information applicable to application security threats, OWASP is also a useful source of open application security tools and standards.

Ultimately, there is no one-size-fits-all security program sure to address all potential risks: Individual security risk assessment, proportional mitigation measures and continued security system monitoring, together with truthful consumer disclosures, provide the best start to building an application consumers can trust.

Written by:

Published In:


DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Davis Wright Tremaine LLP | Attorney Advertising

Don't miss a thing! Build a custom news brief:

Read fresh new writing on compliance, cybersecurity, Dodd-Frank, whistleblowers, social media, hiring & firing, patent reform, the NLRB, Obamacare, the SEC…

…or whatever matters the most to you. Follow authors, firms, and topics on JD Supra.

Create your news brief now - it's free and easy »

All the intelligence you need, in one easy email:

Great! Your first step to building an email digest of JD Supra authors and topics. Log in with LinkedIn so we can start sending your digest...

Sign up for your custom alerts now, using LinkedIn ›

* With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name.