Citigroup announced recently that it found a security flaw in its popular mobile banking app for the iPhone and encouraged users to update the app to a newer version which rectifies the problem. According to a report in the WSJ, the flawed version of Citibank’s iPhone app inadvertently stored private information such as account numbers and security codes on hidden files on the iPhone. Compounding the problem, the app would then push that sensitive information back up to a users computer when the device was attached for syncing.
Citibank maintains that no customer information was accessed as the Citibank app was the only app with permission to access the aforementioned hidden files.
“We have no reason to believe that our customers’ personal information has been accessed or used inappropriately by anyone, i.e., there has been no data breach,” said Citibank spokesperson Natalie Riper.
Still, the updated app no longer stores such information on the phone and subsequently removes any hidden files that may have already been transferred to user computers.
Citi said in a statement on Monday that the security flaw was discovered during a routine security review, and they soon informed affected users in a letter dated July 20. As for the app itself, it was initially conceived by financial services provider mFoundry who then “handed it over to Citibank, which then combined it with custom code of its own.”
Citi is responsible for distributing and managing the app, Mr. Sievers said. MFoundry, which provides mobile-banking software to 150 banks and credit unions besides Citi, said none of its other customers were affected by the problem.
Citi said it performed security tests before and after releasing the application, but failed to detect the problem. The bank said it is looking into why it didn’t find the vulnerability earlier.