Two apps on the Android platinum could have exposed user data due to a lack of proper encryption. The developers of the movie ticket app Fandango and credit score app Credit Karma did not instill the right security measures to keep their customers’ information safe, according to the Federal Trade Commission.
As a result, personal information for millions of consumers was put at risk, including credit card information, usernames and passwords, and in the case of Credit Karma, Social Security numbers.
The problem with these apps was that they did not perform a crucial verification step before encrypting data. This made it possible for hackers to create imposter certificates that could allow them into the system because neither app checked for counterfeit credentials. A hacker with the right know-how could have done this through a public Wi-Fi connection.
The Credit Karma app stopped the verification process when testing the app for the iOS market and then failed to convert it back. The issue lasted for six months, up until February 2013. The Fandango app skipped the verification process from March 2009 to February 2013.
The FTC made both companies establish security programs to prevent future data leaks, and required the apps to undergo a security assessment every other year for the next 20 years. The companies were not fined for their actions.