How Citibank dealt with an iPhone app security snag

Citigroup Inc. (C) has publicly disclosed a security flaw in its iPhone banking app. While the disclosure is clearly the right move, it also shines a light on some weaknesses in mobile banking that might not bode well for the industry in at least the near term.
Banking and finance is roundly accepted as a sure win for the mobile environment — the reasons for growth and global acceptance are impossible to ignore. The industry has spent more than a decade encouraging its customers to move from physical to virtual-based service in the online world for at least some of those reasons. But every security misstep the banking industry makes on mobile could push the public’s willingness to accept mobile banking back even further.
Over this past weekend, I tried opening my Citi Mobile iPhone banking app and received an error message telling me that my access code was no longer valid and that I could change it online. I received no e-mail about the abrupt reset, but there was a paper letter waiting for me to open in the mail when I got back home at the end of the weekend.
When I first received the error message via the app, I pulled up Citibank’s web site on my phone and changed my access code (a six-digit password Citibank uses for all non-PIN transactions). I wondered whether my accounts might have been compromised somehow. Never mind the fact I have very little to compromise.
The picture became clearer when I returned home and read the impersonal letter from Citibank. It read: “During a recent review, we discovered that our U.S. Citi Mobile iPhone banking app was accidentally saving information related to your accounts in a hidden file on your iPhone. This information may also have been saved on your computer if you have been synchronizing your iPhone with your computer via iTunes.”
The letter went on to inform me that an updated app “corrects the problem” and “deletes any information that may have been saved to your iPhone or computer, and it eliminates the possibility that this will occur in the future.” The bank then listed a 4-step process for customers to follow: download the updated app, launch the app, change your access code and sync your iPhone with your computer via iTunes.
I don’t recall when I installed the app update, but it very well could have been before I received the error message since it was already asking me for a new code. The updated app was posted to the App Store on July 19 and the letter I received in the mail was dated July 20, but it didn’t arrive until three or four days later.
While Citibank deserves kudos for publicly addressing and resolving the security glitch, there are still a few unanswered questions. Why are mobile apps “accidentally saving” personal information in a “hidden file” on smart phones? Are developers to blame for security flaws that can happen as a result? Why aren’t users asked to approve the storing of personal information on a device?
Until some of these fundamental questions are answered and corrected, it’s easy to see why so many banking customers will be holding tight to their ATM cards and the old, secure way of doing things for many years to come.