Apple and RIM battle security concerns

A Citigroup iPhone app contains a critical flaw

Apple and RIM are facing separate security problems, after an iPhone app developed by Citigroup was found to contain a critical flaw, and the United Arab Emirates claimed that BlackBerry handsets pose a "national security risk".

Citigroup has admitted in a statement to The Wall Street Journal that its iPhone banking app accidentally saved the personal information of 17,600 customers who have used it since its launch in March 2009.

Account numbers, bill payments and security access codes were stored in a hidden file on Citigroup customers' iPhones, and may also have been saved to any computer with which the handset was synchronised.

Only the US Citi Mobile iPhone banking app is affected, the bank said in a statement sent to V3.co.uk. Citigroup added that there is no evidence that any user information has been compromised.

Paul Vlissidis, technical director at IT assurance specialist NCC Group, believes that the flaw should be simple to patch, but warned that the incident may have repercussions for mobile banking.

"In the same way as online banking, mobile banking must prove itself to be secure in order to achieve widespread customer adoption, and instances like this only slow the process," he said.

"We are likely to see further vulnerabilities and breaches as apps become increasingly central to the mobile user experience, and the discovery of this vulnerability should undoubtedly further focus app developers on security."

Alex Kwiatkowski, a principal analyst at Ovum, said that the incident should act as a warning for banks to ensure that they use the same level of security for mobile transactions as they do for traditional banking.

"Mobile banking has not been sold to customers on the basis of security, but this incident will be a wake-up call for consumers as well," he said.

"Even if Citigroup is not at fault, it will receive the backlash as customers will associate its logo with the app."

Banks and financial institutions have been promoting mobile banking on the basis that it is convenient, simple and embedded into devices, Kwiatkowski said.

Citigroup is in contact with customers and is urging them to download the updated app. This deletes any information that may have been saved to a user's iPhone or computer, and it eliminates the possibility that the flaw will occur in the future, the firm said.

Meanwhile, RIM's BlackBerry handsets have been dubbed a "national security risk" by the United Arab Emirates (UAE) Telecommunications Regulatory Authority.

"Currently, BlackBerry operates beyond the jurisdiction of national legislation, since it is the only device operating in the UAE that immediately exports its data offshore and is managed by a foreign commercial organisation," the regulator said in a statement.

"As a result of how BlackBerry data is managed and stored, certain BlackBerry applications allow people to misuse the service, causing serious social, judicial and national security repercussions."

The problem is that RIM's method of encryption is too strong for the UAE government's liking, according to Ovum analyst Tim Renowden.

"The government is not able to monitor communications because of RIM's architecture. Security is one of the key selling points of the BlackBerry, so it is unlikely that RIM will negotiate," he said.

RIM could benefit from the situation as businesses could be made aware of the BlackBerry's strong security, but consumers may take the accusation at face value, Renowden warned.

The UAE said that it has been working for a long time to find a solution that operates within the boundaries of UAE law.

V3.co.uk contacted RIM, but the company declined to comment.