Starbucks in hot water; security on its iOS app not worth a hill of beans

Starbucks in hot water; security on its iOS app not worth a hill of beans
Right on the heels of a report showing that 90% of mobile banking apps have security lapses, coffee king Starbucks admits that it does not encrypt usernames or location data on its iOS mobile payment app. To make matters worse, we are taking about the most used mobile payment app in the states. Besides usernames, geolocation data, email addresses and passwords have been stored in clear text, an inviting target for identity thieves.

It is a 'Tall' mistake for Starbucks. The information could have come tumbling out of any iPhone connected to a PC. The handset does not need to be jailbroken. Starbucks apparently decided to make its app fast for users by requiring that usernames and passwords be entered just once when using the app. After than initial entry, every time you use the Starbucks app to make a purchase, the username and email fields are already filled. The only time you need your password is when adding money to your account.


A pair of executives, Starbucks CIO Curt Garner and Starbucks Chief Digital Officer Adam Brotman, admitted to knowing that the data was being stored in clear text. Brotman says that this is no longer an issue because the caffeine pusher has security in place. The executive says that "usernames and passwords are safe," thanks to "extra layers of security." Two hours later, a test by security expert Daniel Wood revealed that the information was still in clear text. This time though, a geolocation history file was found, detailing the longitude and latitude of the researcher each time he used the store locator on the app. Wood is the gentleman who discovered the security breach in the first place.

A thief would need only 30 minutes with your iPhone to steal your personal data from the Stabucks app, and your PIN number means nothing. If you opt for the auto-replenish feature, your bank account information could be at risk. Gartner security analyst Avivah Litan says of the Starbucks app, "They can come up with any rationale that they want to, it's just bad security practice. You don't store passwords in the clear. Ever."

Wood posted the information about Starbuck's use of unencrypted data on a website after unsuccessfully trying to interest the company in his research. This is exactly what happened to messaging app Snapchat after a security firm tried to contact it about exploits on its app. The security firm eventually published the exploits in a tweet which led to a massive leak of usernames and phone numbers (last two digits redacted) for 4.6 million Snapchat users. Let these two incidents be a warning to corporations that when a security firm is trying to get your attention about a major security breach on your app, it pays to at least give them the courtesy of listening to what they have to say.

source: Seclists.org, ComputerWorld via MacRumors

FEATURED VIDEO

4 Comments

1. danishnigz

Posts: 5; Member since: Aug 31, 2013

That level of puns in the first half of the article xD

2. elitewolverine

Posts: 5192; Member since: Oct 28, 2013

So a security company can breach the security of the app and not be held accountable? Makes little sense to me. Also the auto reload only happens once a day, so unless you are going to overload on coffee since they dont have access to the bank info as that is blanked out to my knowledge, what can they get? Access to coupons? I guess. Then again people routinely use the same password email combos so that is a huge mistake/potential. But it did say that they need the iphone in the first place right? Meaning a stolen phone...

3. Ant34

Posts: 193; Member since: Aug 10, 2013

Why should someone be held accountable for breaching the security of an app on their mobile device?

4. elitewolverine

Posts: 5192; Member since: Oct 28, 2013

What? You have not read the terms of agreement I suppose. Most people don't, only the courts see those. (a) any resale or commercial use of the Sites or Site Materials; (b) the collection and use of any product listings, pictures or descriptions; (c) the distribution, public performance or public display of any Site Materials; (d) modifying or otherwise making any derivative uses of the Sites and the Site Materials, or any portion thereof; (e) use of any data mining, robots or similar data gathering or extraction methods; (f) downloading (other than the page caching) of any portion of the Sites, the Site Materials or any information contained therein, except as expressly permitted on the Sites; or (g) any use of the Sites or the Site Materials other than for its intended purpose. Any use of the Sites or Site Materials other than as specifically authorized herein, without the prior written permission of Starbucks, is strictly prohibited and will terminate the license granted herein.

Latest Stories

This copy is for your personal, non-commercial use only. You can order presentation-ready copies for distribution to your colleagues, clients or customers at https://www.parsintl.com/phonearena or use the Reprints & Permissions tool that appears at the bottom of each web page. Visit https://www.parsintl.com/ for samples and additional information.