Starbucks has promised a future update to its iPhone barcode scanning app, aimed at fixing a security flaw which could leave a person’s user name, email address, password, and location information open for a security-savvy thief to see.
In the security vulnerability discovered by security specialist Daniel Wood, this information has been getting housed in unencrypted, plain text format within temporary log files for Crashlytics, a crash reporting framework. Although many other iOS apps also use Crashlytics, the Starbucks app has been logging information that it shouldn’t.
The personal data has only been accessible on the device itself, and only temporarily — after a user signs up for a new account, for example, or some other “event” occurs.
Still, iPhone theft is running rampant. In Washington, D.C. last year, cellphones were stolen in 42 percent of robberies In New York City, with theft of iPhones and iPads amounting to 14 percent of all crimes.
Starbucks: ‘We Expect This Update to be Ready Soon’
“We’d like to be clear: there is no indication that any customer has been impacted by this or that any information has been compromised. Regardless, we take these types of concerns seriously and have added several safeguards to protect the information you share with us,” said Curt Garner, CIO, in a statement issued on Starbucks’ web site on Thursday.
“Out of an abundance of caution, we are also working to accelerate the deployment of an update for the app that will add extra layers of protection. We expect this update to be ready soon and will share our progress here. While we are working on the update, we would like to emphasize that your information is protected and that you should continue to feel confident about the integrity of our iOS app.”
In a phone call on Thursday with Brighthand, Maggie Jantzen, a Starbucks spokesperson, said that she didn’t know whether a software update had been planned prior to the release of Wood’s report on the SecList.org site on Monday. Wood has claimed that he contacted Starbucks directly about the problem last month, but that he received no response.
Wood did not test the Android edition of Starbuck’s barcode scanning app. Jantzen told Brighthand that the Android app does not contain the vulnerability, and that the flaw bears no relationship to Pay with Square Wallet, a payment app from Square — avaiable in both iOS and Android flavors — which Starbucks started rolling out in November as another option for customers.”
“While Square Wallet is a valid payment method at Starbucks, it has nothing to do with the security concerns in Daniel Wood’s report,” she told Brighthand.
Security Specialist: ‘Never Store Credentials on the Phone File System’
In a set of recommendations included in his report, Wood advised that users’ credentials should never be stored on the phone file system.
“Force the user to authenticate using a standard web or API login scheme (over HTTPS) to the application upon each opening and ensure session timeouts are set at the bare minimum to meet the user experience requirements,” he wrote.
“Where storage or caching of information is necessary, consider using a standard iOS encryption library such as CommonCrypto.”
Analyst: ‘This Is a Really Big Deal’
“This is a really big deal,” observed Richard Crone, CEO of Crone Consulting, in an interview with Brighthand. “Starbucks is the most successful [in-store payments] deployment in history, with 10 million customers and 4.5 million transactions a week,” the analyst told Brighthand.
As a better approach to security, Crone pointed to Paydiant, a “white label” in-store payment app now under rollout at Subway and some other retail outlets.
“With Paydiant, the user scans a bar code and uploads it to the cloud. Then Paydiant sends a token to the POS (point of sale). So no payment credentials are ever stored either on the phone or at the POS,” said Crone.