Developers of two popular smartphone apps—Fandango and Credit Karma—have been caught transmitting passwords, social security numbers, birth dates, and other highly sensitive user data over the Internet without properly encrypting it first, officials with the Federal Trade Commission said.
As a result, it was trivial for hackers to intercept the data when people used the apps on both Apple's iOS and Google's Android mobile operating systems, complaints filed by the FTC alleged. The complaints leveled charges of other shortcomings in the developers' security, including the failure to properly test and audit the safety of apps before making them available for download. The improper encryption, which security experts warn is akin to having no encryption at all, was allowed to persist for four years at Fandango. The company also failed to have an adequate process for receiving vulnerability reports from researchers and other third parties, FTC officials said.
Fandango has as many as 100 million downloads from the iOS App Store and Google Play market for Android. Among other things, the app allows users to buy movie tickets. Credit Karma has five million to 10 million downloads and allows users to monitor their credit scores.