Starbucks has promised a future update to its iPhone barcode scanning app, aimed at fixing a security flaw which could leave a person’s user name, email address, password, and location information open for a security-savvy thief to see.
In the security vulnerability discovered by security specialist Daniel Wood, this information has been getting housed in unencrypted, plain text format within temporary log files for Crashlytics, a crash reporting framework. Although many other iOS apps also use Crashlytics, the Starbucks app has been logging information that it shouldn’t.
The personal data has only been accessible on the device itself, and only temporarily — after a user signs up for a new account, for example, or some other “event” occurs.
Still, iPhone theft is running rampant. In Washington, D.C. last year, cellphones were stolen in 42 percent of robberies In New York City, with theft of iPhones and iPads amounting to 14 percent of all crimes.
Starbucks: ‘We Expect This Update to be Ready Soon’
“We’d like to be clear: there is no indication that any customer has been impacted by this or that any information has been compromised. Regardless, we take these types of concerns seriously and have added several safeguards to protect the information you share with us,” said Curt Garner, CIO, in a statement issued on Starbucks’ web site on Thursday.
Security Specialist: ‘Never Store Credentials on the Phone File System’
In a set of recommendations included in his report, Wood advised that users’ credentials should never be stored on the phone file system.
“Force the user to authenticate using a standard web or API login scheme (over HTTPS) to the application upon each opening and ensure session timeouts are set at the bare minimum to meet the user experience requirements,” he wrote.
“Where storage or caching of information is necessary, consider using a standard iOS encryption library such as CommonCrypto.”
Analyst: ‘This Is a Really Big Deal’
“This is a really big deal,” observed Richard Crone, CEO of Crone Consulting, in an interview with Brighthand. “Starbucks is the most successful [in-store payments] deployment in history, with 10 million customers and 4.5 million transactions a week,” the analyst told Brighthand.
As a better approach to security, Crone pointed to Paydiant, a “white label” in-store payment app now under rollout at Subway and some other retail outlets.
“With Paydiant, the user scans a bar code and uploads it to the cloud. Then Paydiant sends a token to the POS (point of sale). So no payment credentials are ever stored either on the phone or at the POS,” said Crone.