Citi, Apple Disclose iPhone App Security Flaw

Beware, mobile bankers: Citigroup is encouraging Apple iPhone owners who downloaded the company's mobile banking app to upgrade to a patched version after a security flaw was found.

Banking giant Citigroup and iPhone maker Apple are encouraging users who downloaded Citi's banking application for the smartphone to upgrade to a new version after a security flaw was discovered in the application. The flaw accidentally saves personal information, including access codes, bill payment information and even bank account numbers, onto the iPhone or any computer it has been synchronized with.

"During a recent review, we discovered that our U.S. Citi Mobile iPhone banking app was accidentally saving information related to customer accounts in a hidden file on their iPhones," the company announced in a statement. "This information may also have been saved on their computer if they had been synchronizing their iPhone with their computer via iTunes."

The Wall Street Journal reported approximately 117,600 customers has been affected by the flaw since the app was launched in Apple's App Store in March 2009, although the paper's unnamed source said no personal data was exposed. "We have no reason to believe that our customers' personal information has been accessed or used inappropriately by anyone," the paper quoted the company as saying.

The paper also interviewed the CEO of mobile security specialist Lookout, John Hering, who warned that hackers could exploit flaws in banking applications in order to retrieve, and then exploit, personal information downloaded by the app. Many consumers, who may download multiple apps casually, may not be aware to what level of risk they are exposed, he said. "Most consumers and app developers don't know what is happening in their apps, because it is moving so fast," Hering told the Journal. "Apps are proliferating so quickly. We will see more and more of this."

A recent survey by audit, tax and advisory firm KPMG found 19 percent of U.S. consumers have conducted banking transactions on a mobile device, compared with only 9 percent when the company last completed the survey 18 months ago. Among age groups, U.S. consumers age 16-24 conduct mobile banking the most, with 33 percent of the respondents in this bracket indicating they have conducted banking on a mobile device.  Among all U.S. respondents who have not conducted banking through a mobile device, 52 percent cited security and privacy as the primary reason. 

In addition, a March survey released by mBox found mobile banking gained a significant foothold in the U.S. and U.K. markets. The survey found 25 percent of U.S. mobile phone users and 37 percent of U.K. mobile phone users have adopted mobile banking services.