Starbucks in hot water; security on its iOS app not worth a hill of beans

Right on the heels of a report showing that 90% of mobile banking apps have security lapses, coffee king Starbucks admits that it does not encrypt usernames or location data on its iOS mobile payment app. To make matters worse, we are taking about the most used mobile payment app in the states. Besides usernames, geolocation data, email addresses and passwords have been stored in clear text, an inviting target for identity thieves.

It is a 'Tall' mistake for Starbucks. The information could have come tumbling out of any iPhone connected to a PC. The handset does not need to be jailbroken. Starbucks apparently decided to make its app fast for users by requiring that usernames and passwords be entered just once when using the app. After than initial entry, every time you use the Starbucks app to make a purchase, the username and email fields are already filled. The only time you need your password is when adding money to your account.


A pair of executives, Starbucks CIO Curt Garner and Starbucks Chief Digital Officer Adam Brotman, admitted to knowing that the data was being stored in clear text. Brotman says that this is no longer an issue because the caffeine pusher has security in place. The executive says that "usernames and passwords are safe," thanks to "extra layers of security." Two hours later, a test by security expert Daniel Wood revealed that the information was still in clear text. This time though, a geolocation history file was found, detailing the longitude and latitude of the researcher each time he used the store locator on the app. Wood is the gentleman who discovered the security breach in the first place.

A thief would need only 30 minutes with your iPhone to steal your personal data from the Stabucks app, and your PIN number means nothing. If you opt for the auto-replenish feature, your bank account information could be at risk. Gartner security analyst Avivah Litan says of the Starbucks app, "They can come up with any rationale that they want to, it's just bad security practice. You don't store passwords in the clear. Ever."

Wood posted the information about Starbuck's use of unencrypted data on a website after unsuccessfully trying to interest the company in his research. This is exactly what happened to messaging app Snapchat after a security firm tried to contact it about exploits on its app. The security firm eventually published the exploits in a tweet which led to a massive leak of usernames and phone numbers (last two digits redacted) for 4.6 million Snapchat users. Let these two incidents be a warning to corporations that when a security firm is trying to get your attention about a major security breach on your app, it pays to at least give them the courtesy of listening to what they have to say.

source: Seclists.org,ComputerWorld via MacRumors