In May, the Federal Trade Commission fined Premom mobile app maker Easy Healthcare $200,000 for violating the Health Breach Notification Rule (HBNR) by sharing personal health information with advertisers. This incident took place only a few months after the FTC first enforced the HBNR when it fined pharmaceutical mobile app maker GoodRx $1.5 million for similar violations.
Such actions signal a heightened focus on regulators protecting consumer privacy. “Digital health companies and mobile apps should not cash in on consumer’s extremely sensitive and personally identifiable health information,” said Samuel Levine, director of the FTC’s Bureau of Consumer Protection. “The FTC is serving notice that it will use all of its legal authority to protect American consumers’ sensitive data from misuse and illegal exploitation.”
Concerns over mobile app privacy and security have grown so much that the FTC recently voted to specifically include mobile apps in the HBNR. Organizations must take proactive steps to comply by building mobile apps that respect user privacy and keep sensitive data secure.
FTC Enforcement on the Rise
Recent settlements highlight the FTC’s aggressive action toward organizations that fail to prioritize digital privacy and security:
- In June 2023, the FTC fined Microsoft $20 million for violating the Children’s Online Privacy Protection Act (COPPA) by improperly storing kids’ account information.
- In December 2022, Epic Games, creators of the popular game Fortnite, was ordered to pay $520 million in relief after violating COPPA by misleading users into making unintentional purchases.
- In October 2022, the online alcohol marketplace mobile app Drizly was penalized for security failures that led to the exposure of personal data of over 2.5 million customers.
- In March 2022, the FTC fined Weight Watchers International $1.5 million after the company violated COPPA by illegally obtaining kids’ sensitive health data from the Kurbo mobile app.
‘Secure-by-Design’ Principles
As mobile app activity continues to grow and security frequently lags, we can expect violations to continue. Mobile-enabled organizations that want to avoid the wrath of the FTC must take steps to ensure their mobile apps respect user privacy while safeguarding sensitive data. Digital leaders should follow ‘secure-by-design’ principles through the entire mobile app development lifecycle:
- Establish a Transparent Data Privacy Policy
Organizations must be transparent about how they will use and store user data. Android mobile app developers need to declare their data policies for Google Play™ Data Safety and iOS developers need to declare them for the Apple App Store™. Organizations must ensure that users understand what happens to their data so they can make informed decisions. Android developers can also verify that their mobile app safeguards data by obtaining an App Defense Alliance (ADA) Mobile Application Security Assessment (MASA) from an ADA Authorized Lab.
- Assess Privacy Risks & Compliance Requirements in Preproduction
Mobile apps must adhere to industry-specific privacy requirements. mHealth or financial service mobile apps demand a high level of privacy to comply with the Health Insurance Portability and Accountability Act (HIPAA) or the Federal Financial Institutions Examination Council (FFIEC), respectively. Stakeholders must familiarize themselves with the privacy requirements for their specific industry and take steps to ensure the mobile app adheres to them.
- Validate Third-party Components
All mobile apps rely on third-party libraries to speed the mobile app dev process. But vulnerabilities within third-party libraries can create security and privacy issues. Validating all third-party components used in the software development lifecycle (SDLC) helps reduce the chance of sensitive data falling into the wrong hands.
- Continuously Test New Builds with Automation
Security analysts traditionally test mobile apps at the end of the dev pipeline, usually right before a release. This approach often leads to privacy issues going unchecked due to rushed testing and gaps in coverage. Instead of testing the mobile app right before a release, organizations should test new builds with continuous automated mobile application security testing. Security teams can run a battery of automated tests to pinpoint privacy issues after devs write new code and devs can fix them
- Run Periodic Pen Tests
Automation can cover anywhere from 80% to 90% of mobile app testing requirements, but some areas still need human assistance. Multi-factor authentication, CAPTCHA and similar security features cannot be automated, so running a full-scope mobile penetration test helps avoid testing coverage gaps. Organizations can also combine automation and human expertise. This Guided Testing approach allows organizations to automate the majority of their mobile app security testing requirements while benefiting from the support of a professional security analyst who drops in to test the areas automation can’t assess.
- Encourage Mobile AppSec Training
Mobile apps require secure coding techniques to maintain privacy and security. Developers should understand the basics of building secure mobile and security analysts should understand the differences between testing web and mobile apps for security and privacy vulnerabilities. Familiarize your DevSecOps teams with mobile security requirements and upskill them in secure coding techniques and ensure security analysts understand how to properly test mobile apps. Encourage them to enroll in free online training like NowSecure Academy so they can gain the knowledge needed to maintain compliance with FTC guidelines.
Don’t let FTC privacy violations jeopardize your organization’s business success. Maintain mobile app transparency and follow ‘secure by design’ principles to keep users and their personal information protected from cyberthreats.
