Mobile Application: Security Best Practices


The industry for mobile applications is growing rapidly. As companies and independent developers look to gain—or strengthen—footholds in this competitive space, the Federal Trade Commission (FTC) asks, “… is security keeping up” with mobile application companies’ public assurances of safety? The potential pitfalls of overpromising and underperforming when it comes to mobile application security are highlighted in the recent Credit Karma and Fandango FTC settlements.

In each of the Credit Karma and Fandango cases, the FTC charged the companies with misleading the public by assuring consumers that their respective mobile applications were safe, when in fact the mobile apps left “consumers’ sensitive personal information at risk” by failing to implement industry standard safety measures. The FTC alleged that Credit Karma and Fandango disabled the Secured Sockets Layer (“SSL”) encryption in their mobile applications. SSL is the de facto standard for secure Internet communications, which provides end-to-end security against active, man-in-the-middle attacks. Without such encryption, any communication transmitted through a mobile application can be intercepted by an outside attacker—a vulnerability of particular concern when a mobile application’s communications are transmitted over public Wi-Fi networks. A basic systems test would have revealed that the SSL was not functioning in either Fandango or Credit Karma’s systems.

The FTC settlement required each of Credit Karma and Fandango to “establish comprehensive security programs designed to address security risks during the development of their applications and to undergo independent security assessments every other year for the next 20 years.” Additionally, the FTC prohibited each company from misrepresenting their security measures to the users of their mobile applications.

What constitutes a “comprehensive security program?” Each mobile application presents its own risk profile. A good starting point for accessing public responsibility in mobile application security is the FTC Business Center. Here, the FTC makes available a wealth of data security information, addressing requirements for truthful mobile application marketing, guidelines and tips for accessing and maintaining mobile application security and protection of consumer personally identifiable information.

Additionally, the Open Web Application Security Project (OWASP) maintains the OWASP Top Ten, which is a security document, produced by a group of leading security experts. The OWASP Top Ten is a non-profit global community whose purpose is to assist organizations develop, and maintain, secure and trustworthy applications. In addition to presenting research and information applicable to application security threats, OWASP is also a useful source of open application security tools and standards.

Ultimately, there is no one-size-fits-all security program sure to address all potential risks: Individual security risk assessment, proportional mitigation measures and continued security system monitoring, together with truthful consumer disclosures, provide the best start to building an application consumers can trust.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Davis Wright Tremaine LLP | Attorney Advertising

Written by:


Davis Wright Tremaine LLP on:

Readers' Choice 2017
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:

Sign up to create your digest using LinkedIn*

*By using the service, you signify your acceptance of JD Supra's Privacy Policy.

Already signed up? Log in here

*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.