Starbucks ‘chose convenience over security’ in leaving iPhone app vulnerable

“Is it better for mobile apps to be easy-to-use, or secure?” Parmy Olson asks for Forbes. “It’s a question that app developers constantly grapple with in the face of a competitive landscape, and it can sometimes take a data breach like Snapchat’s to push them in the latter direction.”

“Earlier this week security researcher Daniel Wood disclosed his findings on how Starbucks was storing data about users of its iOS app in plain text and locally on a device, making passwords and even geolocation data about users vulnerable to theft if the wrong kind of hacker got hold of their iPhone,” Olson reports. “Starbucks has said it knows about the app’s vulnerability and that the possibility of it being exploited is ‘very far fetched.’ It says that none of the app’s 10 million users have come forward to claim their data has been misused as a result.”

“Still, the company is now working on updating its app with ‘extra layers of protection,'” Olson reports. “In this case, Starbucks had decided on behalf of the consumer that it would ‘prefer convenience over privacy,'” said Tony Anscombe, head of free products at security software firm AVG Technologies.”

Read more in the full article here.


    1. It may just be a coffee house, but the turnover in dollar terms is nothing to sniff at. Starbucks customers like Apple inc. customers are in the most middle to high income earners, hence their regular expensive cuppa. Hack their credit cards and you will be laughing all the way to bank or lamenting all the way into prison as the case maybe.
      Just note that once the cats have escaped from the barn, herding them back in will be a spittin’, hissin’ an’a wailing affair.
      That was an allegory as to the closing of the stable doors after the horses have bolted!

    1. Real security is in fact a real inconvenience to the user and not the developer. In fact the real hurdles to security is the sales/marketing folks that are the decision makers. Now a developer may not implement security based on ignorance but usually not because it is hard. If you want to blame lack of security in 2013/14 look at the sales/marketing bozos (or the dimwits that did

  1. I have a minor issue with it, only because I frequent Starbucks so much I have a gold account (which gives a free drink every 12) with $48 pulled from linked credit card on it. I’m sure if the money were taken, unless a public incident, would to bad for me. Any unauthorized charges to the linked credit card I am sure the cc company would take care of.

  2. From what I’ve read, the passwords are being placed into LOG files in plain-text. Why? What business does the app have storing passwords in log files? What is done with those log files? Are they ever transmitted back to the mothership when the app crashes so they can improve the app?

    There’s NO excuse for passwords to *ever* be stored in plain-text. Ever. Even obfuscation through a proprietary process is better than plain-text.

    1. Timeless wisdom. Well done.

      Not a fan of bitter coffee at a high price in a beautiful package store.

      But hey, they are very successful and all power to them. 🙂

  3. So the app stores login/password combination in the app’s Data folder in the encrypted filesystem. If that’s compromised (by someone stealing the device, and jailbreaking it), what do they really have? They can login to, and do what, exactly? They can’t use a stored credit card on the account without providing the card security code (which isn’t stored by the app). I suppose they could leave some kind of nasty feedback, or rude suggestion? I hardly think that’s worth stealing a phone, and jailbreaking it.

    I think there are much bigger concerns than this. Starbucks should use data protection for the data folder for the app, but it’s not the huge deal it’s being made out to be.

    Lame article.

  4. As long as you stay on top of your bank accounts and notice any suspicious activity and report it right away, the only thing you will lose is convenience for about a week until the bank issues you a new card.

  5. Yeah I don;t have the app, nor do I get their coffee. We have about 25 drive-up coffee Kiosks here in Fairbanks and I much prefer Mocha Dan’s or Mocha Moose. Their coffee so much less acidic and generally tastier than the rubbish Starbucks calls coffee.
    Just my 2¢ from the middle of Alaska

Reader Feedback

This site uses Akismet to reduce spam. Learn how your comment data is processed.