Citigroup warned customers of a security flaw in its free iPhone app and urged customers to update to the newest version, which fixes the problem. The discovery by Citigroup highlights a new frontier in security concerns as IT admins work to protect data on smartphone platforms.
Banks have been on the cutting edge--developing apps for smartphone platforms that let users view account balances, transfer funds, review pending transactions, make payments, and more. There are an estimated 18 million mobile banking customers in the United States, of which Citi has about 800,000--placing them in fifth place behind banks such as Bank of America.
The security concern in the Citigroup iPhone app is related to a file within the app that is accidentally storing sensitive information. Data such as account numbers, bill payments and security access codes are stored on the iPhone where they could be accessed later by attackers or other unauthorized users.
Fortunately, Citigroup proactively discovered the issue during a review and it does not believe that any customer data was compromised as a result of the flaw. However, the fact that the flaw existed at all illustrates the new era of security concerns IT admins must deal with in order to protect data on mobile devices like smartphones and tablets.
Apps are just a different form of software. They can crash, or crash the device they're running on, or contain coding errors that can be exploited to access sensitive information. It doesn't matter whether the apps are developed by third-parties or created in-house; the possibility exists that a flaw in the app could lead to a security breach of some sort.
The lack of true multitasking in iOS4, or any third-party multitasking in the upcoming Windows Phone 7 platform can provide a degree of protection. Allowing true multitasking opens up the possibility that a malicious app could be silently running in the background and exploiting, or accessing data from other running apps on the smartphone.
As smartphones continue to evolve, they operate more and more like palm-sized computers. They process e-mail and instant messaging communications, and--with storage ranging up to 32Gb plus on devices like the iPhone 4, EVO 4G, and Droid X--the devices are capable of storing tons of sensitive information that could be compromised by an app vulnerability, or if the device is lost or stolen.
In a business environment, the apps that are authorized to be installed should be reviewed and approved by the IT department to ensure some level of due diligence. IT admins and users need to be aware of the potential security concerns of smartphones and tablets, and exercise some caution and common sense regarding the data that is stored on mobile platforms.