Citibank reveals flaw in their iPhone app
Citibank has admitted that their iPhone app contained security flaws that could allow hackers to steal sensitive user banking information, but is this an iPhone security problem or a Citibank security problem?
Citibank, one of the largest banks in the world, has admitted that the iPhone app that they wrote (or perhaps caused to be written) was written in such a way that a hacker who gained access to the phone could get at sensitive user banking information, such as account numbers, bill payments and security access codes. Somehow, this is being painted as a mobile device security problem, and sometimes even specifically as an iPhone security problem, when in truth it seems to be purely a problem with the way a major U.S. Bank, which should know much better, coded their application for the iPhone.
Creating a temporary file containing sensitive user banking information is not an intelligent way to code such an application, yet that is what the Citi programmers did. Worse, though the file was in a hidden directory and at least slightly difficult to find, they failed to erase the file when they were through with it. To add idiocy to injury, the backup process via iTunes copied that file full of sensitive information to the user’s laptop or desktop computer when they hooked their iPhone up to sync it. This is, indeed, very poor security in action, but it has nothing in it to allow the indictment of the mobile industry and its devices.
Any programmer can get it wrong regardless of the device for which his or her code is intended. And that is what happened in this case, according to a Wall Street Journal story. Making the leap from a badly programmed app to laying the blame at the feet of the mobile sector in general or Apple in particular is ridiculous. It is up to the app programmers to write secure code. If they failed to do that, there is little the mobile industry or a single cell phone manufacturer can do about it.
Related posts:
