Western Union and four other companies agreed to significantly improve the security of their mobile apps, following a challenge by authorities in New York.
The state’s attorney general announced it found apps offered on Google Play and Apple’s App Store by Western Union Financial Services; Priceline; Equifax Consumer Services; Spark Networks; and Credit Sesame failed to protect users’ data due to being vulnerable to a widely-known security flaw that enabled man-in-the-middle attacks.
In a statement, the attorney general’s office said the apps risked revealing “sensitive user information” including passwords, social security numbers, credit card details and bank account numbers when details were transmitted over the internet.
Attorney general Barbara Underwood said businesses which pledge to protect the personal information of users “have a duty to keep those promises”.
The attorney general’s office said an investigation revealed the companies’ apps failed to properly implement secure socket layer (SSL) and transport layer security (TLS) security certificates used to protect data sent and received on a mobile device when using a public Wi-Fi connection.
It noted app developers can test their ability to properly validate SSL-TLS certificates using “freely available software”.
As part of a settlement deal, all five companies have agreed to implement “comprehensive security programmes” to protect user information from potential future attacks.
Priceline and Equifax noted they had agreed their settlements in 2016 and 2017 respectively, Mobilepaymentstoday reported.