Starbucks Responds to iPhone Privacy Concerns with App Update

| News

Following a security researcher's report showing the Starbucks app for the iPhone stores customer user names and passwords in an unencrypted format, the company has responded with an app update that includes what it called new safeguards.

Starbucks app left user logins unprotectedStarbucks app left user logins unprotected

The user name and password issue was revealed by Daniel Wood at the seclists.org website where he said,

There are multiple instances of the storage of clear-text credentials that can be recovered and leveraged for unauthorized usage of a users account on the malicious users’ own device or online at [the Starbucks website].

The Starbucks app for the iPhone stores user's customer loyalty card information which also includes the balance still available for purchases, along with user account logins and location information. For anyone to access the information stored in the app, they'd need physical access to the victim's iPhone.

Assuming someone did get ahold of an iPhone with the Starbucks app installed, they could potentially buy their fill of lattés and chai drinks, and if the app is set to auto-reload from a credit card, they could spend up to the card's limit on drinks and food.

That shouldn't be an issue as of Friday, however, because Starbucks released version 2.6.1 of its iPhone app. The coffee giant hasn't said exactly what measures it has taken with the app update to secure customer information other than to say it includes "additional performance enhancements and safeguards.

Sign Up for the Newsletter

Join the TMO Express Daily Newsletter to get the latest Mac headlines in your e-mail every weekday.

Comments

webjprgm

I don’t trust it until I see that they didn’t just XOR the password with a “secret” key.  But I don’t use the Starbucks app anyway so it has no personal impact.

vpndev

From descriptions I have seen, the old app not only stored the creds in plain-text but transmitted them that way too.

That is a more serious issue, in my opinion. I wonder if they have fixed that also?

BlackCorvid

I have two corrections to this post. First, the update is 2.6.2 (2.6.1 was an update from May 2013). Second, this update does not appear to be IOS 7 compatible. The App will not update on two IOS devices running IOS 7 but will update on an old iPod Touch (3rd gen.) running IOS 5.1.1.

ernieb

Works for me on iOS 7.1 (11D5127c)

BlackCorvid

Late last night I was finally able to update the app on an iPod Touch 5th gen. Later yet I managed to acquire access to the update on my iPhone but this required starting and quitting the old version several times. Then when opening the updated app for the first few times, it would not work (timed out while trying to enter my password). Finally, it is working. This is strange behavior for an app and I’ve had no other instances of this type of problem with the dozens of apps that I’ve installed.

Log-in to comment