Apparently the Citi iPhone app stored personal data including account numbers, bill payments, and security access codes on a hidden yet accessible file on a user’s iPhone, according to a report from the Wall Street Journal.

The data may also be on user’s computers if their iPhone is synced with personal machines.

Citi told the WSJ that more than 117 000 people have registered for the Citi iPhone mobile banking app, but the company does not believe that personal data was exposed by what is being called a programming design flaw.

Reports indicate that the iPhone app was jointly developed by Citi and mFoundry, which is a mobile banking technology firm based in California. The CEO of mFoundry told InformationWeek that this security problem is unique to Citi because of the cooperative development that caused co-mingled code, and it does not affect other mFoundry customers to his knowledge.

Commenting on the incident, Paul Vlissidis, technical director at independent IT assurance specialist NCC Group, complimented Citi on its quick response to the security flaw.

“However, in the same way as for online banking, mobile banking must prove itself to be secure in order to achieve widespread customer adoption, and instances like this only slow this process”, he added.

Vlissidis said that application developers must take responsibility for security, but they are not only ones that must do so to maintain customer trust.

“Platform OS vendors have a duty of care to ensure that malicious or vulnerable apps are not made available through their stores, and developers of mobile apps must keep security front of mind, especially when the programs require users to input personal information.”