Make Lemonade
Re-do the validation, then change your advertising to proclaim "Security audited by the FTC". Not many of their competitors could claim that! :-)
The US Federal Trade Commission (FTC) has forged settlement deals with a pair of companies accused of botching their SSL encryption and leaving people vulnerable to identity thieves. According to the watchdog, Fandango and Credit Karma failed to implement basic safeguards when sending highly sensitive personal information over …
Its WiFi Only for ...
1) Everyone with an iPod Touch.
2) Everyone with an iPad that's WiFi only.
3) Everyone with an iPhone with talk/text only plan (yes they exist now).
4) Everyone on a pay as you go plan who hit their cellular data limit.
5) Everyone where there is wifi but no/poor cell phone reception.
Even if it make business sense (which it doesn't), I don't think Apple would approve an cellular data only app ... wouldn't meet their standards.
SSL validation works and 100% solves this problem, they just got careless and skipped it.
Credit Karma had long been advertising with Little Old Grandma and Grandpa caricatures, with glasses and cane, as they complain about "free credit score sites" that want credit card info so they can charge you after the trial period. Which Credit Karma doesn't do, it's free always.
So how do they make money?
Thus it's marketed as something no-fuss that old people should have, or their kids should sign them up for, so they can stop worrying and get back to surfing for elder lesbo flicks.
I seem to remember one of the oldest internet tricks is to lure the old folk with promises of safety and security to get the info to rob them blind.
Are we sure this lack of security with sensitive personal info was accidental?
We have recently completed penetration tests on a number of apps delivered by vendors such as SAP and others, who also failed to validate the certificates used to secure TLS connections, both from a revocation perspective, and if it was from the expected supplier.
Trust the maths.....
Don't trust the implementation....