Starbucks Admits Mobile App is Knowingly Insecure
posted Sunday Jan 19, 2014 by Scott Ertz
Starbucks released an update to their mobile app this week after reports surfaced about private information being stored in the clear. The information being stored was email, username and password and was accessible to anyone who connected the phone to a computer. Obviously, a stolen phone with the Starbucks app on it could give direct access to a user's credit card information from any device.
Starbucks made the decision to not encrypt the data in a misguided attempt to make the app easier to use. They claim that they believed storing the data directly would require the user to login each time, which is, of course, not correct. We have all used apps that do not require us to login each time, but do not store our secure information insecurely.
Let's take, for example, Facebook. We all use this app on our mobile devices every day and we never seem to have to log in, unless we abandon it for an extended period. Somehow, even with this seemingly identical scenario, Facebook does not store your data in the clear.
So, what is the real scenario here? Laziness on the part of the development team. Lee Cocking of security firm Fixmo said,
Any app that stores usernames and passwords should be protecting their users by encrypting their data - especially applications oriented towards financial transactions. The risk of not protecting sensitive information is significant data leakage and potential financial losses.
In addition to making the application and any data contained within, such as payment ability, insecure, this breach of the public's trust also makes other information insecure. Since so many people use the same or very similar password across multiple systems, by gaining access to the Starbucks data, a hacker could gain access to other sensitive information.
The moral of the story here is that you should be weary of the information that you give to mobile applications. Just because the company is well-known doesn't mean it can be trusted in the mobile space. In fact, ask Target about how a trusted retailer can breach the public's trust even without their own knowledge.