Citi iPhone Security Flaw

The Wall Street Journal reports that Citibank's mobile-banking application for Apple Inc.'s iPhone contained a security flaw and advised its customers to upgrade to a newer version that corrects the problem.

The iPhone app accidentally saved information—including account numbers, bill payments and security access codes—in a hidden file on users' iPhones. The information may also have been saved to a user's computer if it had been synched with an iPhone.

We talk about the very same issue in Chapter 7 of the book:

"With mobile computing, attackers can reverse-engineer an application’s byte code or binaries and identify vulnerabilities. The mobile application must also be careful when storing/caching sensitive data locally on the phone."

and follow-up with a summary towards the end of the chapter:

"Applications running on mobile devices should limit the information that will be cached in the device. There is a risk of the device being lost or stolen."

iOS APIs have improved with time in terms of providing cryptographic functionalities. Here is a good post by Nick Harris about Data Encryption on iOS4 for further reading.

No comments:

Post a Comment