I find it pretty hard to believe that saving a sensitive information file in a hidden location was an accident. Programmers, led by a specification which was designed by their team (or managers) developed the application to save the file in this manner.
There really are only two possibilities here (neither of which are accidents):
1) Gross negligence when it comes to the security of their applications (and the data which they collect and store), which does not speak well for Citigroup’s competence when it comes to information security. They felt that a hidden, but unencrypted file provided adequate security for sensitive banking information. Epic fail!
2) A rogue programmer took control of the project to purposefully insert this flaw. Yeah right! That’s about as likely as Citigroup’s off balance sheet assets being worth more than pennies on the dollar.
Either way the consequence is the same. Any application or user that has access to the file system and is aware of the location of this file could access sensitive finacial information stored by Citigroup’s iPhone online banking application. Yikes!