Developers of two popular smartphone apps—Fandango and Credit Karma—have been caught transmitting passwords, social security numbers, birth dates, and other highly sensitive user data over the Internet without properly encrypting it first, officials with the Federal Trade Commission said.

As a result, it was trivial for hackers to intercept the data when people used the apps on both Apple's iOS and Google's Android mobile operating systems, complaints filed by the FTC alleged. The complaints leveled charges of other shortcomings in the developers' security, including the failure to properly test and audit the safety of apps before making them available for download. The improper encryption, which security experts warn is akin to having no encryption at all, was allowed to persist for four years at Fandango. The company also failed to have an adequate process for receiving vulnerability reports from researchers and other third parties, FTC officials said.

Fandango has as many as 100 million downloads from the iOS App Store and Google Play market for Android. Among other things, the app allows users to buy movie tickets. Credit Karma has five million to 10 million downloads and allows users to monitor their credit scores.

Both apps failed to perform a crucial verification before encrypting data and sending it from a smartphone to Internet servers. The authentication failure meant that anyone with the ability to monitor the connection—say, someone on the same public Wi-Fi network, a rogue employee of a telecom or Internet service provider, or even a state-sponsored agency—could present a self-generated imposter certificate. Because the apps didn't check for counterfeit credentials—a standard step that's not technically demanding to carry out—attackers could use the imposter certificate to encrypt, decrypt, and even modify traffic transmitted by the apps.

The old normal

The omissions by Fandango and Credit Karma are glaring because the apps exposed sensitive personal data of millions of people to hacks that are trivial to carry out. As Ars reported in February , phony secure sockets layer certificates for Google, Facebook, iTunes, and many other big sites aren't hard to find circulating on the Internet. All an attacker needs to make them work is the type of man-in-the-middle position that's possible on a public Wi-Fi network and an app that fails to perform a basic certification verification.

Sadly, as grievous as the Fandango and Credit Karma failures are, previous research has shown that they're by no means isolated. An academic paper published in 2012 documented that Android apps downloaded as many as 185 million times exposed banking and social networking credentials and e-mail and instant-messaging contents because the apps didn't carry out the verification steps mandated in the formal secure sockets layer and transport layer security specifications. A separate report from that same year found that many computer applications suffered the same deficiency.

In the case of Credit Karma, developers disabled certificate validation during the testing of its iOS app and then failed to remove the override function when releasing it into Apple's App Store, an FTC complaint alleged. Even after catching and fixing the vulnerability six months later, developers made the same override error when releasing the Android version of Credit Karma in February 2013, officials said.

Fandango, meanwhile, allowed its app for iOS to skip verifications from March 2009 to February 2013. The omissions underscore the lack of testing not only by the app developers but also by the review processes for both Apple's App Store and the Google Play market.

The FTC has often come under criticism for doing little more than issuing wrist slaps when it discovers privacy violations. Indeed, neither Fandango nor Credit Karma are paying any fines in the settlements announced Friday. Still, the agency deserves credit for doing what Apple, Google, and the app developers failed to do—test the SSL protections of apps installed on hundreds of millions of smartphones—and for bringing an overlooked problem to national attention.

Furthermore, the FTC has succeeded in getting both Fandango and Credit Karma to establish comprehensive security programs and to undergo independent security assessments every other year for the next 20 years. The settlements may not do much to fix other deficient apps, but it's a start.