New York’s attorney general has settled with five tech and financial giants, requiring each company to implement basic security on their mobile apps.
The settlements force Credit Sesame, Equifax (yes, that Equifax), Priceline, Spark Networks and Western Union to ensure data sent between the app and their servers are encrypted. Specifically, the attorney general said their apps “could have allowed sensitive information entered by users — such as passwords, social security numbers, credit card numbers, and bank account numbers — to be intercepted by eavesdroppers employing simple and well-publicized techniques.”
In other words, their mobile apps “all failed” to properly roll out and implement HTTPS, one of the barest minimum security measures in any modern app’s security.
HTTPS certificates (also known as SSL/TLS certificates) encrypt data between a device, like your phone or computer, and a website or app server, ensuring any sensitive data, like credit card numbers or passwords, can’t be intercepted as it travels over the internet — whether that’s someone on the same coffee shop Wi-Fi network or your nearest federal intelligence agency.
These certificates are more common than ever, not least because when they’re not incredibly cheap, they’re completely free — and most modern browsers these days will bluntly tell you when a website is “not secure.” Apps are no different, but without a green padlock in your browser window, there’s often very little to know for sure on the face of it that your data is traversing the internet securely.
At least, with financial, banking and dating apps — you’d just assume, right? Bzzt, wrong.
“Although each company represented to users that it used reasonable security measures to protect their information, the companies failed to sufficiently test whether their mobile apps had this vulnerability,” the office of attorney general Barbara Underwood said in a statement. “Today’s settlements require each company to implement comprehensive security programs to protect user information.”
The apps were picked out after an extensive batch of app testing in an effort to find security issues before incidents happen. Underwood’s office follows in the footsteps of federal enforcement in recent years by the Federal Trade Commission, which brought action against several app makers — including Credit Karma and Fandango — for failing to properly implement HTTPS certificates.
In taking action, the attorney general gets to keep closer tabs on the companies going forward to make sure they’re not flouting their data security responsibilities.