Security

Bugs & Fixes: What's the risk with the Citi Mobile security flaw

If you use Citigroup’s Citi Mobile iPhone app, make sure you update to the new version released this week. The update fixes a security flaw that, according to a Citi statement, could save data “including account numbers, bill payments and security access codes—in a hidden file on users’ iPhones.”

Given that the file is “hidden,” you might well ask: “How then could someone access the file?” The answer is that, in most cases, someone couldn’t. The file is presumably stored within the app’s folder on the iPhone—consistent with the “sandbox” restriction generally enforced by Apple for all apps. Via the standard iPhone interface, a user has no access to these app folders. So you’re safe so far.

However, if anyone jailbreaks your iPhone, they could easily access these otherwise off-limits folders. All they would need is either one of numerous apps that can be downloaded to a jailbroken iPhone or one of several third-party Mac programs that offer root access to a jailbroken iPhone (in some cases, Mac OS X’s Terminal would be sufficient). True hackers could access the hidden data even without a formal jailbreak (or so I have been told).

There is yet another possibility, relevant only if you have jailbroken your iPhone, enabled SSH, and not changed the iPhone’s root password: Someone could access and copy the hidden file via a Wi-Fi network to which your iPhone is connected—without you even being aware of the transfer.

Citi went on to say: “The information may also have been saved to a user’s computer if it had been synched with an iPhone.” I assume this means that the data are saved as part of a backup. This opens up the possibility that the data could be accessed via a utility such as File Juicer, which extracts data from backups. Alternatively, a user with access to your Mac could use your unencrypted backup to restore their iPhone, thereby transferring the hidden file to their device. Such possibilities are why I recommend enabling the “Encrypt iPhone backup” option in the Summary screen of your iPhone in iTunes.

At a practical level, I still consider this to be a relatively low risk danger. In order for you to get in trouble, someone with unscrupulous intent as well as knowledge of what to look for and how to find it, would have to gain access to your iPhone (or Mac with the relevant backup). If your iPhone was lost, someone would have to get to the file before you could perform a Remote Wipe. Not very likely all in all. But possible.

Regardless, I refrain from using any banking app on my iPhone. True, if you use online banking, your account is at risk to anyone with a Web browser and an ability to guess or otherwise find out your password. By why make the task any simpler? Installing a dedicated bank app in a device as easy to misplace as an iPhone seems, to me, to be asking for trouble.

Subscribe to the Apple @ Work Newsletter

Comments