Some disconcerting news for those that use the Starbucks app for iPhone has been released today; apparently, the Starbucks application stores usernames, email addresses, passwords, and latitude/longitude coordinates of previous geolocations the owner of the device has visited all in plain text. Yes, no encryption, nothing of the sort. In fact, you don’t even need to have a jailbroken device in order for someone to gain access to this information. From Computerworld’s report:
The Starbucks mobile app, the most used mobile-payment app in the U.S., has been storing usernames, email addresses and passwords in clear text, Starbucks executives confirmed late on Tuesday (Jan. 14). The credentials were stored in such a way that anyone with access to the phone can see the passwords and usernames by connecting the phone to a PC. No jailbreaking of the phone is necessary. And that clear text also displays an extensive list of geolocation tracking points (latitude, longitude), a treasure trove of security and privacy gems for anyone who steals the phone.
The application is completely vulnerable, so even though Starbucks has claimed to have implemented measures to combat this, it doesn’t matter. Starbucks has released a press release, however, saying that an updated application will be on the way. The CIO of the company, Curt Garner, said in the press release that the company is “working to accelerate the deployment of an update for the app that will add extra layers of protection.” Full press release below:
January 16, 2013
Your security is incredibly important to us. This week a research report identified theoretical vulnerabilities associated with the Starbucks Mobile App for iOS in the event a customer’s iPhone were to be physically stolen and hacked.
We’d like to be clear: there is no indication that any customer has been impacted by this or that any information has been compromised. Regardless, we take these types of concerns seriously and have added several safeguards to protect the information you share with us. To protect the integrity of these added measures, we are unable to share technical details but can assure you that they sufficiently address the concerns raised in the research report.
Out of an abundance of caution, we are also working to accelerate the deployment of an update for the app that will add extra layers of protection. We expect this update to be ready soon and will share our progress here. While we are working on the update, we would like to emphasize that your information is protected and that you should continue to feel confident about the integrity of our iOS app.
We appreciate your business and believe it is our job to earn your trust as a customer. We also know that constant vigilance is the best way to protect you and the information you share with us. If you think your information may have been compromised for any reason, please contact our Customer Care team at 1-800-23-LATTE or at www.starbucks.com/customer.
Starbucks chief information officer
If you are worried about this, you can always uninstall the application until the update is released. Though this isn’t by any means something that should just be dismissed as not a problem, it also isn’t as big a problem as some think. In order for a thief to get this information, they would need physical access to the device. So, unless you are giving someone your device that you don’t trust, or you think you’ll have your phone stolen in the next week or so, it shouldn’t be that big of an issue. Hopefully the update is pushed soon to calm the nerves of many people.
What do you think? Surprised this is coming from Starbucks? Would you expect more from the company? Let us know in the comments, or tweet me @TiP_Kyle.