Similar to its web counterpart, the Bank of America iPhone App has a mechanism that kicks in when the user’s session has expired. The user is shown an alert, but the last screen they viewed in the app is still visible:

The problem with this treatment is that the alert does not protect the privacy of the user (and who knows perhaps there is a security hole as created by this alert but nothing I’ve picked up on yet). Whoever has picked up this phone and is now viewing the app can see the various account balances and the last four digits of the different accounts on this page.

A better treatment would be to mimic the standard practice for web flows and take the user to a specific logoff page or the home page and in both cases to not show any private account information. For example, the BOFA iPhone app can simply take the buyer back to the login page: