Starbucks is dealing with backlash from a discovery by an independent security researcher that its iOS mobile payments app collects and stores customer data in risky way.
Daniel Wood posted his findings on seclists.org after trying futilely for months to convey his findings to Starbucks.
Wood showed how the popular Starbucks mobile app has been storing usernames, email addresses and passwords in clear text, in such a way that anyone with access to the phone can see the passwords and usernames by connecting the phone to a PC.
Starbucks CIO Curt Garner and Starbucks Chief Digital Officer Adam Brotman told ComputerWorld columnist Evan Schuman that have known for an unspecified period of time that the credentials were being stored in clear text.
(UPDATE: Jan. 16. 3:02 p.m. Pacific. Garner has posted a letter assuring Starbucks patrons that the company is addressing the concerns raised by Wood's findings.
"Out of an abundance of caution, we are also working to accelerate the deployment of an update for the app that will add extra layers of protection," Garmer says. "We expect this update to be ready soon and will share our progress here. While we are working on the update, we would like to emphasize that your information is protected and that you should continue to feel confident about the integrity of our iOS app.")
Jack Walsh, mobility program manager at ICSA Labs, a vendor-neutral testing and certification firm, says the incident is a "wakeup call for us - both as mobile consumers and employees."
The Starbucks app, which allows customers to purchase food and drinks directly from their smartphones, actually stores some customer data locally and unencrypted. By doing this Starbucks is able to make the user experience as simple as possible, only requiring re-authentication when topping up the app with more cash from an account, says Tony Anscombe, Senior Security Evangelist at AVG Technologies.
Most iOS apps don't store user details locally and many apps make use of the Apple KeyChain, which requires the user to enter a login and password each time you use the app. "It's less convenient, but much more secure as your data is not stored on the device and is encrypted," Anscombe says.
By choosing to store user data on the device itself, in plain text, Starbucks enables anyone with access to the phone to freely access the data stored by the Starbucks app --without even having to unlock the device.
"Starbucks claims that it has heard no reports of its app customers falling victim to this vulnerability, and the app has not been updated on either the Google Play Store or the Apple App Store," Anscombe says. "By championing convenience over security, Starbucks has essentially made a choice on the behalf of the consumer that they would prefer convenience over privacy."
Walsh says Starbucks may not be alone. "No one should assume that their company's mobile apps are safe and properly secure sensitive employee and/or customer data," Walsh says. "You must ask where and how frequently mobile app testing experts are examining both employee-only and customer-facing apps for security and privacy holes."