Citibank discloses security flaw in iPhone banking application

Citigroup customers using its iPhone app for mobile banking are being urged to apply an update after the company found a security flaw. The program was storing personal data in a file that could have potentially opened the user up to identity theft.

The issue was discovered during a routine security check of the company's products. Citi Mobile was released in March and was updated on July 19 to fix the issue. Customers were notified by mail beginning the following day. The update will erase this file from the phone as well as the computer when applied and synced with iTunes.

The company said there was no evidence that the data had been used in a malicious manner.

Approximately 118,000 customers were using Citi Mobile for iPhone and all had been contacted as of Monday. It was not clear how many of those had downloaded the update. A BlackBerry version of the application was not affected, and other applications do not have the same problem, the company assured.

Information stored included sensitive data such as account numbers and security access codes. The file itself was hidden, however it was synced to the users home computer when connected with iTunes.

Citi also said that it was conducting an internal investigation as to why the issue was not found when its in-house security term combed the app for possible vulnerabilities.

John Hering, founder of mobile phone security company Lookout, told the New York Times' Bits blog Monday that Citi's issue underscores the increasing vulnerability of smartphones when it comes to sensitive data.

"Mobile apps are often exposing more information than people realize," he argued. "I think this is going [to] be the beginning of more and more applications that have this kind of problem."

Citi did not say how long it took Apple to release the update once the flaw was discovered, or when it had first sent the update to Apple for it to be approved.

© 1998-2019 BetaNews, Inc. All Rights Reserved. Privacy Policy - Cookie Policy.