Security Architecture, Endpoint/Device Security, Endpoint/Device Security, Network Security, Security Strategy, Plan, Budget, Vulnerability Management, Endpoint/Device Security, Endpoint/Device Security, Endpoint/Device Security

Citi urges iPhone app update due to data storage risk

Citigroup has released an update to its iPhone mobile banking application after it was discovered that the previous version, unbeknownst to users, saved confidential account information in a hidden file on their devices.

The prior version of the Citi Mobile application also may have saved the same data onto users' computers if they synced their iPhone to their computer using iTunes.

"This update deletes any Citi Mobile information that may have been saved to their iPhone or computer, and it eliminates the possibility that this will occur in the future," said a Citigroup statement emailed Monday to SCMagazineUS.com.

The statement said that no other Citi mobile programs were affected and that there is no reason to believe that any sensitive data was accessed as a result of the issue.

Neil MacDonald, a vice president and fellow at research firm Gartner, said users should expect to see similar incidents in the future due to poor developer design and a lack of security vetting by owners of application stores, such as Apple.

In the case of Apple, the company should conduct testing and provide developers with clear guidelines, such as how sensitive information must be handled, MacDonald told SCMagazineUS.com on Monday. This is especially critical because users tend to trust any mobile application they find in stores.

"I think because of that implied responsibility, Apple needs to step up the testing it performs," he said. "I'd say the same of Google [maker of the Android] and Microsoft [maker of Windows Phone 7]."

Meanwhile, developers such as Citigroup must implement similar guidelines and conduct threat modeling, a process that will help determine things such as where sensitive data is being stored, how might a hacker be able to access such data and whether the user properly is being notified of any data being stored, MacDonald said.

He said that many times developers make mistakes in a rush to distribute a product.

"You cannot overlook security in the development process, even if it is agile development," MacDonald said.

An Apple spokesperson did not respond to a request for comment.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.