The Wall Street Journal reports on a security and privacy problem with Citigroup’s iPhone application:
Citigroup Inc. said its free U.S. mobile-banking application for Apple Inc.’s iPhone contained a security flaw and advised its customers to upgrade to a newer version that corrects the problem.
In an incident that highlights the growing security challenges around wireless apps, Citi said its iPhone app accidentally saved information—including account numbers, bill payments and security access codes—in a hidden file on users’ iPhones. The information may also have been saved to a user’s computer if it had been synched with an iPhone.
The issue affected the approximately 117,600 customers who had registered the iPhone app with Citi since its launch in March 2009, a person familiar with the matter said. The bank doesn’t believe any personal data was exposed by the flaw. […]
Citibank, with an estimated 800,000 mobile customers, ranks No. 5 in mobile banking, Celent said, behind Bank of America Corp. at No. 1 with an estimated 5 million users. In between are J.P. Morgan Chase & Co. at No. 2 with 2 million, United Services Automobile Association at No. 3 with 1.5 million, and Wells Fargo & Co. with 1.4 million, according to Celent estimates.
Experts worry that security isn’t keeping up with the app boom. Among their concerns is the prospect of “leakage” any time a wireless app logs confidential data. […]
Citi said it performed security tests before and after releasing the application, but failed to detect the problem. The bank said it is looking into why it didn’t find the vulnerability earlier.