What The Citi iPhone Security Flaw Says About Mobile Security

Yesterday, the Wall Street Journal reported that Citigroup’s iPhone electronic banking app contained a security flaw that had been fixed. According to the article, a new version of the app has been made available to customers through Apple’s App Store. The Citi app was developed in conjunction with mobile app specialist mFoundry and allows customers to view their banking and/or credit card statements and make bank payments. From the Journal article:

“Citi said its iPhone app accidentally saved information—including account numbers, bill payments and security access codes—in a hidden file on users’ iPhones. The information may also have been saved to a user’s computer if it had been synched with an iPhone. The issue affected the approximately 117,600 customers who had registered the iPhone app with Citi since its launch in March 2009, a person familiar with the matter said. The bank doesn’t believe any personal data was exposed by the flaw.”

Forrester customers who are also Citi banking or credit card customers should immediately update their iPhone app. They should also change their account password if their phones have been stolen or lost.

I have not spoken to Citi about this matter, and I do not have inside knowledge about the nature of the vulnerability. However, it stands to reason that:

  • The fix and announcement were well-coordinated. The flaw was almost certainly discovered either by Citigroup or a “friendly” party — by virtue of the fact that a new version of the app was made available at the same time the flaw was announced. This is certainly better than the alternative: being presented with a zero-day flaw that left 100,000 customers exposed while Citi cobbled together a fix.
  • Citi has no way of knowing whether any personal data was exposed or not. In what has become a standard, boilerplated response to a toxic data spill, Citi handed its customers the soothing “we have no evidence that personal data was exposed” line. This is just PR-speak for “we really hope no data was exposed.” Researcher Charlie Miller concluded, like I did, that the disclosed data was stored in an unencrypted file. Miller: “You’d need an exploit to access it remotely . . . but if it was lost, you could easily ‘jailbreak’ it, which gives you access to all the files.”
  •  Outsourcing mobile app development is riskier than it seems. Citi based its app on software from vendor mFoundry. Despite the fact that mFoundry’s Financial Platform datasheet specifically states that “no shared PIN, no stored passwords” are used, in this case we know that part of that statement wasn’t true. Did Citi cut corners, or is mFoundry’s datasheet inaccurate? Regardless, this is a clear process failure. I think it is much more likely that the mistake would have been caught if the development had been done in-house at Citi, with a real security review done as part of the development process.
  • With mobile, it pays to keep up with OS security enhancements. The security capabilities of post-PC platforms like the iPhone’s iOS have been improving rapidly. In 2007, Apple’s Version 1 iPhone OS had a fairly complete API for key management and cryptography, but it wasn’t easy for developers to use. Version 4, recently unveiled by Apple, has excellent security libraries and data protection capabilities; see these two technical articles for details. Moreover, third parties can issue Apple devices digital certificates for strong authentication. Were Citi starting its mobile banking project today, it could have used all of these capabilities to deliver a highly secure experience without the risk of the type of the flaw that was announced yesterday. But because it launched in March 2009 — an eternity-seeming 16 months ago — it rolled its own scheme, with the results we now understand.

Financial services companies seeking to serve customers who have mobile devices like the iPhone have many choices ahead of them. How much security is enough? How do mobile apps relate to our cross-channel customer platform? Should sensitive information, such as transaction details or account passwords be stored on the device? The answers are not all easy to come to, and many are platform-specific. Nonetheless, the best way to begin answering these questions is to take control of the experience yourself.