Citi confirms critical bug in iPhone mobile banking app
Citigroup has urged customers conducting mobile banking from their iPhones to immediately upgrade because a security flaw in the older app secreted account information on the smartphone.
A prominent iPhone security researcher said it would be trivial for someone to access the hidden file if they obtained a lost or stolen phone.
In a letter to customers, the U.S. banking giant said its Citi Mobile app saved banking information—possibly including account numbers, bill payments and access codes—in a hidden file on the iPhone.
The same concealed information may have also been saved to the Mac or Windows PC used to sync customers’ iPhones via iTunes, Citi acknowledged.
The three-time winner at the annual Pwn2Own hacking challenge and one of three researchers who uncovered the first iPhone vulnerability in July 2007. “But if it was lost, you could easily ‘jailbreak’ it, which gives you access to all the files.”
“Jailbreak” is the term used to describe hacking an iPhone so that the owner can install software not authorized by Apple.
Citi downplayed the threat. “We have no reason to believe that our customers’ personal information has been accessed or used inappropriately by anyone,” the company said.
“By their statement, I’m guessing that the file isn't encrypted,” said Miller, an analyst with Baltimore-based Independent Security Evaluators (ISE) and co-author of The Mac Hacker’s Handbook. “If it was encrypted, I would have thought they would have mentioned that.”
The biggest threat to users may be due to Citi’s iPhone app saving the same information to the Mac or PC used to sync the smartphone, said Miller, noting that vulnerabilities and exploits of personal computers are far more common than those of the iPhone. “That data would be backed up [from the iPhone] to the computer,” he said, and thus available.
“But frankly, I’d be more concerned if I lost my wallet than if I lost my iPhone,” Miller added.
Citi also noted that other iPhone software, including that used to manage bank-issued credit cards, wasn’t affected by the bug.