Citi confirms critical bug in iPhone mobile banking app
Saved access codes, other info to hidden file on smartphone and synced computers
Computerworld - Citigroup has urged customers conducting mobile banking from their iPhones to immediately upgrade because a security flaw in the older app secreted account information on the smartphone.
A prominent iPhone security researcher said it would be trivial for someone to access the hidden file if they obtained a lost or stolen phone.
In a letter to customers, the U.S. banking giant said its Citi Mobile app saved banking information -- possibly including account numbers, bill payments and access codes -- in a hidden file on the iPhone.
The same concealed information may have also been saved to the Mac or Windows PC used to sync customers' iPhones via iTunes, Citi acknowledged.
The Wall Street Journal first reported on the bug. Citi later confirmed that it had alerted mobile banking customers and upgraded the software on the App Store.
"During a recent review, we discovered that our U.S. Citi Mobile iPhone banking app was accidentally saving information related to customer accounts in a hidden file on their iPhones," Citi said in a statement Monday. "We have released an update...that corrects the problem. This update deletes any Citi Mobile information that may have been saved to their iPhone or computer, and it eliminates the possibility that this will occur in the future."
Citi's iPhone app was last updated July 19 to version 2.0.3. According to the software's App Store listing, the upgrade to 2.0.3 is mandatory and included both bug fixes and security enhancements.
According to noted iPhone vulnerability researcher Charlie Miller, it would be difficult for a hacker to access the saved file and its data remotely, but easy if they had obtained a lost or stolen phone.
"You'd need an exploit to access it remotely," said Miller, a three-time winner at the annual Pwn2Own hacking challenge and one of three researchers who uncovered the first iPhone vulnerability in July 2007. "But if it was lost, you could easily 'jailbreak' it, which gives you access to all the files."
"Jailbreak" is the term used to describe hacking an iPhone so that the owner can install software not authorized by Apple.
Citi downplayed the threat. "We have no reason to believe that our customers' personal information has been accessed or used inappropriately by anyone," the company said.
"By their statement, I'm guessing that the file isn't encrypted," said Miller, an analyst with Baltimore-based Independent Security Evaluators (ISE) and co-author of The Mac Hacker's Handbook. "If it was encrypted, I would have thought they would have mentioned that."
The biggest threat to users may be due to Citi's iPhone app saving the same information to the Mac or PC used to sync the smartphone, said Miller, noting that vulnerabilities and exploits of personal computers are far more common than those of the iPhone. "That data would be backed up [from the iPhone] to the computer," he said, and thus available.
"But frankly, I'd be more concerned if I lost my wallet than if I lost my iPhone," Miller added.
Citi also noted that other iPhone software, including that used to manage bank-issued credit cards, wasn't affected by the bug.
Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer or subscribe to Gregg's RSS feed . His e-mail address is email@example.com.
- Apple has bigger plans than just song ID with Shazam deal
- Automakers show off in-vehicle Wi-Fi, new smartphone interfaces
- First-to-market means diddly when it comes to smartwatches
- Apple slates WWDC for June 2-6, sets up ticket lottery
- Nadella to Cook on Office revenue sharing: Drop dead
- Microsoft scraps 'Windows-first' practice, puts Office on iPad before Surface
- iOS tops Android for Web browsing in U.S. and other developed nations
- Microsoft's free OneNote vaults to top of Mac App Store chart
- Apple discounts iPhone 5C 8%-9% in five markets via storage cuts
- Microsoft's OneNote strategy: Battle Evernote, or something bigger?
Read more about Security in Computerworld's Security Topic Center.
- Radicati: Cloud Business Email - Market Quadrant 2013 Google was named the top cloud business email provider in a recent report by research firm Radicati. Out of 14 key players, Google...
- Tablets in the Enterprise: A Checklist for Successful Deployment How can you enterprise manage and secure tablets in order to protect corporate data while providing access to the information and applications employees...
- Enterprise Mobility: A Checklist for Secure Containerization The advantages and disadvantages of the multiple approaches to containerization. Learn More>>
- Enterprise File Sync & Share Checklist File sync and share has changed the way people work and collaborate in today's tech-savvy world. Gone are the email roadblocks, clunky FTP...
- Live Webcast LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy... All Security White Papers | Webcasts