Forgot your password?
typodupeerror
Security

Starbucks Phone App Stores Password Unencrypted 137

Posted by timothy
from the don't-spend-it-all-in-one-place dept.
JThaddeus writes "The Daily Caller reports a serious security flaw in the Starbucks phone app: 'Starbucks confirmed late Tuesday that anyone could access the unencrypted data stored on the official Starbucks app simply by connecting the phone to a computer – bypassing lock screen or PIN security features with no hacking or jailbreaking necessary.' The linked report is for iOS. No mention of Android, but do you think it is any different?" (Starbucks says they've addressed the problem.)
This discussion has been archived. No new comments can be posted.

Starbucks Phone App Stores Password Unencrypted

Comments Filter:
  • by Anonymous Coward on Thursday January 16, 2014 @12:38PM (#45976887)

    When will companies be held liable for implementing incompetent security (or not implementing it all)?

    The marketing weenies are all over getting the brand out, but don't give a shit about security.

    Companies should be getting fined for crap like this. Between data beaches and gross incompetence at any form of security, trusting a marketing app is the height of stupid.

    • by Sarten-X (1102295) on Thursday January 16, 2014 @12:45PM (#45976975) Homepage

      Never. Per the last few hundred years of legal precedent, the companies are the victims. It's in the same category as leaving a house unlocked. Legally, the person at fault is the one who decided to abuse the flaw and access information they aren't supposed to.

      There is a case for negligence, but that requires that the negligent party be unreasonably incompetent, and at the moment, most companies with these kind of security problems are performing on par with most of America - the non-techies who don't understand security.

      • by geogob (569250)

        Never. Per the last few hundred years of legal precedent, the companies are the victims. It's in the same category as leaving a house unlocked. Legally, the person at fault is the one who decided to abuse the flaw and access information they aren't supposed to.

        Have fun trying to sell that to your insurance company.

        • Re: (Score:2, Interesting)

          by Anonymous Coward

          I don't know where you live, but throughout most of the world content insurance covers theft.

          Both break and enter as well as trespassing don't require the door to be locked. Theft doesn't depend on either of the above cases to be met (if your ladder sticks up over your fence, or your lawnmower is sitting on public land (an easement), or your door mat is sitting outside an apartment unit in a common space, theft is still "depriving someone of lawfully acquired property without the permission of the owner

          • by TheCarp (96830)

            However, that isn't really the end of the story is it? After a claim or two it isn't unheard of for an insurance company to drop a customer, or raise rates. It also isn't unheard of for Insurance companies to mandate their customers comply with standards higher than that of legal obligation.

            Seems to me it would be perfectly legitimate for an insurance company which insures a company that is distributing software to take appropriate precautions commensurate with industry best practices or else void their pol

        • Did insurance companies become the law while I wasn't looking?
          • by gstoddart (321705)

            Did insurance companies become the law while I wasn't looking?

            No, but they've been known to deny coverage if they can find any little thing which they can blame on you.

            Insurance companies aren't exactly known for playing nice in a lot of cases.

            • Grandparents were discussing legal liability.
              • by gstoddart (321705)

                Grandparents were discussing legal liability.

                Correct, but doing it in such a way as to imply that insurance companies care about legal liability, when in fact they only care about their own liability -- if they can get away with denying you coverage they will.

                Even if 'technically' the legal liability was with whoever went into your unlocked house.

                In other words, legal liability can be detached from what insurance companies are willing to accept, and being right on an abstract point is immaterial. ;-)

                • There was no implication about insurance companies at all, because there was no discussion of insurance companies at all; just government fines. Complete text of the original posts:

                  When will companies be held liable for implementing incompetent security (or not implementing it all)? The marketing weenies are all over getting the brand out, but don't give a shit about security. Companies should be getting fined for crap like this. Between data beaches and gross incompetence at any form of security, trustin

            • by lgw (121541)

              Insurance companies aren't exactly known for playing nice in a lot of cases.

              Which is why "suing insurance companies" is the national sport of the American court system.

            • I can't believe the insurance company can weasel their way out of paying if you are insured for it at the time of the unfortunate event. That's just wrong.
              Of course they can kick you out. That doesn't change the fact that the theft or whatever happened while you were insured and thus they have to pay.
      • by gstoddart (321705)

        but that requires that the negligent party be unreasonably incompetent

        Oh, I don't know ... storing passwords in plain text sounds pretty unreasonably incompetent since we've known for 30+ years it's a stupid idea.

        It's not like there should be anybody who doesn't know that yet. At least not anybody you should be trusting to write code.

      • There is a case for negligence

        Not if there are no damages. I don't see anything about anyone losing money yet.

      • by Anonymous Coward

        In Quebec, you can get a ticket for leaving your car doors unlocked in public parking lot. To be sure there's no place for discussion, they place the ticket on the dashboard and lock the doors on their way out.

        • by hjf (703092)

          Don't most cars unlock the door if you lock from inside first, and then close the door? Pretty sure at least the driver's door unlocks if you close it locked.

      • Never. Per the last few hundred years of legal precedent, the companies are the victims. It's in the same category as leaving a house unlocked. Legally, the person at fault is the one who decided to abuse the flaw and access information they aren't supposed to.

        Even if true (and I don't agree that it is) this is easily remedied through legislation making inadequate care of customer data illegal by statute (negligence per-se). Furthermore there there are a variety of duty of care torts under which a company could be legally charged including potentially fiduciary duty in some cases.

        The fact that many companies are incompetent is not a sufficient excuse and should never be regarded as such.

      • There is a case for negligence, but that requires that the negligent party be unreasonably incompetent

        It's 2014. Anyone who stores data unencrypted *IS* unreasonably incompetent.

        Starbucks says they've addressed it - but unless they've fired everyone involved (including the managers), they really have not.

      • by dkleinsc (563838) on Thursday January 16, 2014 @02:40PM (#45978243) Homepage

        It's in the same category as leaving a house unlocked.

        That analogy is incorrect. In a correct analogy, the locksmith installed a lock that he swore up and down would protect your home, you locked the door thinking you were fine, and then somebody came in and stole a bunch of things. And that would in fact make the locksmith liable, especially if there was a written guarantee on the lock and the locksmith's work (but even if not, there's the implied warranty of merchantability that says that he's still liable).

        And as soon as you look at the case that way, Starbucks is being negligent, just like the locksmith was in our analogous scenario. The key factor here is that the victim of the crime is not the person who left themselves vulnerable to it through their own stupidity.

      • After some experience with the industry I have come to the conclusion that a lot (but not nearly enough) of the devs actually do know that the stuff they build is insecure. But usually it comes down to some situations:
        "Meh, this is not really that important to spend so much time securing",
        "My boss is on my ass to finish this fast" or "I have a deadline to meet",
        "If I get this done really fast I will win some points with the boss and maybe get a good review",
        "I do know I should encrypt this password, but I n

        • by Mashdar (876825)
          With the general level of incompetence I have seen in electrical/electronic/software engineers and cs guys, I would say most people have no clue how bad their code is for security. Unless the industry somehow finds a segment of the workforce I've magically never met, I'd say they are boned because they didn't shell out the big bucks.
    • by mlts (1038732) on Thursday January 16, 2014 @12:50PM (#45977031)

      Inductive reasoning states never.

      Look at historic security breaches in the past that resulted in massive data compromise. Most companies that were breached are back to their stock norms, or perhaps even higher [1] a few quarters after the incident. Couple this with the belief that security has no ROI...

      I wouldn't expect anything to change anytime soon.

      [1]: I remember being told by an MBA that all press is good press, so a security breach is still getting a company name in front of people's eyes/ears where they may never have gotten with normal advertising methods.

      • by Anonymous Coward

        So this story means new people are hearing about Starbucks for the first time?

        • Not the company, the app. I know my first thoughts when seeing this story were "Starbucks has an app? What? Why?"
          • by gstoddart (321705)

            "Starbucks has an app? What? Why?"

            Marketing, and collecting consumer information. Exactly what most apps are for these days.

            Sure, you might get a small discount now and then, but the treasure trove of marketing data is worth far more than that discount is.

        • by khr (708262)

          So this story means new people are hearing about Starbucks for the first time?

          Not necessarily for the first time. I wasn't thinking at all about coffee, but now there's an article about a big coffee vendor, so it comes to mind. Maybe I'll stop in on my way home, since I walk past several... (but who am I kidding, they're always crowded and I've never ordered coffee on my own before, so I'm not sure I know how to do that without making a fool of myself...)

    • Well, it depends on the results. I've never used the app*, but...

      If the result is that you get to share in the user's freebie downloads and coupons, then it's Starbucks' problem, and they can eat the results for all I care.

      If the result is a compromise of the user's CC info, then yeah, Starbucks needs to not only eat that cost, but forced to eat any associated costs that the ID theft brings about, and then compensate every user generously for his/her time and trouble.

      I guess what I'm getting at is this - if

    • I suspect that if you read the EULA you clicked through, not only did you agree not to hold them liable for their crappy software, you also gave them permission to burn down your house and shoot your dog.
    • by alen (225700)

      from what i read it was only in a log file, not the part where it authorizes your CC
      relax

      someone would have to steal your phone to take the data off. and anyone on ios 7 which is more iphone users will have find my iphone enabled and will send a remote wipe command.

      or just change your passwords once you lose your phone and problem solved

    • by Aaden42 (198257) on Thursday January 16, 2014 @01:25PM (#45977451) Homepage

      Before you have grounds for a suit based on liability, you have to show harm that wasn’t already reimbursed by anyone who you might seek to hold liable.

      There’s no “harm” done to you by having your password stored in the clear on your device. If someone got that password, used it to run up charges on your account, then there’s harm done. If Starbucks policy results in you being refunded and not being held accountable for those charges, then there’s still no harm. You’ve already been made whole in monetary terms before any legal proceeding might have commenced, QED no grounds for any legal proceeding.

      Also, as others have pointed out, the harm isn’t actually perpetrated by Starbucks in this case. It’s done by whoever got your phone, extracted the password, and used it for mayhem. A defense attorney for Starbucks would make a (rather valid IMHO) argument that by allowing someone else to take your phone and plug it into their computer, you failed to take reasonable actions to secure your own system. At best, Starbucks is responsible for only a portion of the liability, and then you’re talking civil juries deciding percentages of fault to assign damages.

      I do think the “left your house unlocked, got robbed” analogy is a bit off for this though. As far as the user could reasonably know, setting a lock code on your phone should be enough to qualify as “locking the house.” Unbeknownst to the user/homeowner, there was a flaw in the lock that allowed it to be trivially picked even if it was properly locked. Some liability is due the lock maker in this case, as it could be reasonably argued the product wasn’t fit for the purpose it was sold. I don’t think that applies quite as cleanly to Starbucks in this case as 1) the app is free (not sold), and 2) the app’s purpose for which it’s marketed isn’t to keep your password secure. That’s something one might expect/hope of it, but it’s a stretch to turn that expectation into grounds for a lawsuit.

      The harm in any such case is likely to be well below that of the legal fees to pursue it unless you manage to get them on some statutory minimum penalties (in excess of the actual value of the harm) or turn it into a class action which would require significant numbers of people who were actually harmed (their passwords were used). I’m not aware of any such statute for something like this. Maybe some kind of treble damages thing for gross negligence, but you’re still talking triple the cost of a couple of cups of coffee, so not something worth suing over. Given how trivially, stupidly easy it is in iOS to store a password like this in Keychain in such a way that it can’t be dumped by simply plugging in the device, calling this gross negligence isn’t much of a stretch.

      The only way to fix something like this would be to pass new legislation that specifically creates a tort for the act of storing user’s credentials (or perhaps PII in general) in an insecure manner. I’d personally like to see that done, but the details of how to define “a secure manner” and what information should be covered would take a lot of work to hash to prevent loopholes or making it so onerous that developers couldn’t actually comply with it for any non-trivial app.

      • by BronsCon (927697)

        Before you have grounds for a suit based on liability, you have to show harm that wasn’t already reimbursed by anyone who you might seek to hold liable.

        Typically, you'd acquire a coffee shop's grounds from their refuse receptacle, but, as Starbucks is known to recycle their grounds, that might make holding them liable for anything slightly more difficult.

        And yes, I'm going for a "Funny" mod here.

        • If Starbucks offers no grounds for a suit based on liability, at least a tailor's shop is grounds for a suit based on wool.

          (I'm going for "Funny" too, but neither one of us is likely to get it. :-)

    • Why would anyone use a Starbucks app? My guess is that the security hole affected at most two people: The Starbucks marketing manager who wanted it and the guy who developed it.
      • by Jason Levine (196982) on Thursday January 16, 2014 @01:43PM (#45977623)

        I can't speak to the iOS installations, but Google Play reports that the Starbucks app has between 1 million and 5 million installs: https://play.google.com/store/apps/details?id=com.starbucks.mobilecard [google.com]

        If iOS has a similar installation base, we're talking somewhere between 1 million and 10 million affected users.

        • On my Android phone (Moto Droid Razr), the flash storage is not accessible via USB until I unlock the phone. Of course, the SD card could be removed, but most applications store to the internal flash by default, so there is at least a moderate level of protection against that kind of attack on Android.
      • My main reason for using the Starbucks app is so that I don't have yet another card taking up space in my wallet (by using a Starbucks card you get a free drink every so often, as well as eligibility for gold membership which gives you free syrups and extra shots).

        More importantly though, why do you think this only affected two people? Even computer novices know how to use a smartphone and I think you would be surprised at how often I see some old geezer using an app to pay for something or check in somewhe

      • by sjbe (173966) on Thursday January 16, 2014 @03:19PM (#45978627)

        Why would anyone use a Starbucks app? My guess is that the security hole affected at most two people: The Starbucks marketing manager who wanted it and the guy who developed it.

        The Starbucks app is THE most popular smartphone payment app for retailers out there. It allows you to bring up a barcode on your smartphone screen to pay. On the iPhone it also is aware of when you walk into a Starbucks location and you do not even have to pull up the app thanks to the Passbook on the iphone. You just swipe the screen and it brings the barcode up for payment. Very easy to use and faster than cash or credit card. Payment is behind the scenes with an credit card attached to a Starbucks card. You can have multiple cards and transfer balances between them. If you want to see the future of using a smartphone to pay for products, you should be looking at this app. Starbucks is way ahead of anyone else in implementing this stuff. If you actually go into a Starbucks you'll almost certainly see someone using their smartphone to pay for their drinks.

        No I don't work for Starbucks and I'm not promoting or disparaging the product. Merely describing what Starbucks has done. It is attention worthy whether you like Starbucks or not.

    • Companies already are held liable for implementing incompetent security, and are punished by their customers who stop buying their shoddy product, and possibly all their other products, whether shoddy or not. This is already the worst thing you can do to a company.

    • by kwbauer (1677400)

      So sue them for all the harm caused by someone possibly knowing what your favorite overpriced beverage is.

    • by idji (984038)
      Is there a genuinely secure mechanism for an app to store a password internally? I imagine they mostly just store an encrypted version of the password using a standard algorithm with an fixed "unknown" key/salt in the code. Isn't this just an example of security through obscurity?
  • by Anonymous Coward on Thursday January 16, 2014 @12:39PM (#45976893)
    What's the difference? Patronize a local shop that doesn't over-roast the coffee.
    • by malakai (136531) on Thursday January 16, 2014 @12:56PM (#45977143) Journal

      Love my mocha's. Can't tell you how many times I got to a 'local' coffee house and get a crap mocha. Some like to put store bought chocolate syrup in it, others like to add a mocha powder without first turning it into a wet paste. I've had Swiss Miss packets added to a late and told this was their 'Cafe Mocha'.

      All in all, I can count on one hand the number of good cafe mocha's I've had at 'local' coffee houses.

      On the other hand, every Starbucks I got into, anywhere in the world, seems to have the same Cafe Mocha. It's as if they had a recipe and the barista's were trained to make it. I like being in a town for the first time in my life, finding a Starbucks and feeling a little bit like being at home.

      In the end, I reward any store on it's quality, I don't stereotype a store based on it's number of locations or perceived local community value. Would you patron a crap restaurant just because it's "local"?

      • by hawguy (1600213) on Thursday January 16, 2014 @01:11PM (#45977297)

        Love my mocha's. Can't tell you how many times I got to a 'local' coffee house and get a crap mocha. Some like to put store bought chocolate syrup in it, others like to add a mocha powder without first turning it into a wet paste. I've had Swiss Miss packets added to a late and told this was their 'Cafe Mocha'.

        All in all, I can count on one hand the number of good cafe mocha's I've had at 'local' coffee houses.

        On the other hand, every Starbucks I got into, anywhere in the world, seems to have the same Cafe Mocha. It's as if they had a recipe and the barista's were trained to make it. I like being in a town for the first time in my life, finding a Starbucks and feeling a little bit like being at home.

        In the end, I reward any store on it's quality, I don't stereotype a store based on it's number of locations or perceived local community value. Would you patron a crap restaurant just because it's "local"?

        I think you are confusing quality with consistency... At Starbucks you are getting a known quality, it may not always be the best but its always the same. Independent places can be hit and mis, but usually once you find one that makes a product you like, its always good there. I have a good number of coffee shop choices and I go to one for a good latte and another for a good iced coffee (with coffee ice cubes too). But when I travel I usually go to Starbucks because I know its the same everywhere.

        • by sjbe (173966) on Thursday January 16, 2014 @01:38PM (#45977563)

          I think you are confusing quality with consistency...At Starbucks you are getting a known quality, it may not always be the best but its always the same. Independent places can be hit and mis, but usually once you find one that makes a product you like, its always good there

          And you seem to be confusing quality with preference. Preference can be a component of quality but quality is more complex and some aspects of quality have a strong subjective component. Part of quality is fitness for a particular purpose, part of it is consistency of output, part of it is the relative superiority of the product, part of it is conformance to specifications, etc. Reliability, sustainability, serviceability and other factors may play a role.

          You cannot really define quality solely in terms of customer preferences because customers often prefer things that are objectively inferior or even dangerous by some measure. We have customers at my company all the time that specify products that if built to their specs would not meet industry standards would fail in the field. What the customer thinks they want isn't always what they actually want.

          When it comes to Starbucks products, they have very good quality by some measures. Their quality on more subjective measures depends on who is doing the evaluation. Obviously a lot of people like their products and are willing to pay a lot for them. Others not so much. I think a lot of people just dislike Starbucks not so much based on their merits of their products but rather based on a more vague dislike of the corporation or the experience of the place.

        • At Starbucks you are getting a known quality, it may not always be the best but its always the same. Independent places can be hit and mis, but usually once you find one that makes a product you like, its always good there.

          Independent places, in my experience, tend to be hit-or-miss at all scales... from the store, to the shift, to the barista/cook/whatever actually doing the work when you place your order.

      • Edit: replace mocha with hamburgers and Starbucks with McDonalds. Sometimes you don't want risk and just trust the consistency of a large brand. (not that I would approve of either company in this case) But consistency isn't quality.
        • by mythosaz (572040)

          The three most important things are McDonald's are consistency, consistency and consistency.

          Although their international preparations change, fat contents of beef vary, and vegetables are often locally sourced, a Big Mac is a Big Mac is a Big Mac in pretty much every English speaking store on the planet, and the one you get on Tuesday will be made exactly the same was on Sunday.

    • by Joce640k (829181)

      Yep.

      Why on earth would anybody need a "Starbucks App". With sensitive information in it, and a password.

      What information is there to hack? If it's anything more than where the nearest store is and you coffee preference then you're DOING IT WRONG.

  • by mlts (1038732) on Thursday January 16, 2014 @12:44PM (#45976943)

    On Android, a phone will appear as a storage device or camera, unless someone enables debugging and authorizes a computer with its individual key to connect.

    I don't see how an app could get data to a computer from a locked Android device unless the app managed to get itself root, or there was some other trick to break into the Android device (physical dumping the RAM), and if an attacker is that sophisticated, pretty much what an app tries to do for security is pointless.

    • by aaarrrgggh (9205)

      The flaw is apparently exposed by the crash reporting software on iOS; not sure why Android would be protected inherently.

    • by Sockatume (732728)

      To use an Android analogy, they were storing the passwords etc. in plain text on the phone's memory card with the app's data files, so when the phone was connected to a computer and was mounted as a storage device, it was completely trivial to read it. The developers seemed to assume that because their app can't read any other app's folders (sandboxing), those folders were completely inaccessible to anything but the app that they belong to. Unfortunately that whole space is mounted and made available to the

      • by Sockatume (732728) on Thursday January 16, 2014 @01:04PM (#45977235)

        This is wrong and should be ignored. It's not stored unencrypted in the app's data folders; it's sent unencrypted to the debug log, which is also readable to anyone on the host PC.

        • which is also readable to anyone on the host PC.

          So that's what is meant by "bypassing lock screen or PIN security features"?

          • by mythosaz (572040)

            USB access to Android phones allows transfer of files from a number of folders without unlocking the device.

            [Most application data directories, of course, aren't among those, but they're not regularly exposed at all during USB connections, so...]

    • The summary is wrong. If you dig back to the original ComputerWorld article, it says, "The credentials were stored in such a way that anyone with access to the phone can see the passwords and usernames by connecting the phone to a PC. No jailbreaking of the phone is necessary." Nothing about bypassing the pin in a locked phone like the summary or shitty article the summary links to; you have to connect the phone to a computer, have it unlocked, and allow the computer access to the phone (this applies to iOS
      • by immaterial (1520413) on Thursday January 16, 2014 @01:23PM (#45977435)
        My mistake - I didn't notice the CW article had multiple pages (derp). It does say this:

        Do you feel secure because you use PIN protection on your phone? You shouldn't, says Wood. "You don't need a user's PIN in order to pull raw data off the phone using the tool and methods I have used," he said. "So if a user's phone is stolen, regardless of being PIN-protected, you are able to bypass that and access the apps Library/Cache and pull the session.clslog file."

        However, I don't buy it. If this researcher has found a way to bypass the hardware encryption on a locked iOS device, that sounds like a bigger and more interesting security hole than one in a shitty Starbucks app.

        • by gstoddart (321705)

          However, I don't buy it. If this researcher has found a way to bypass the hardware encryption on a locked iOS device, that sounds like a bigger and more interesting security hole than one in a shitty Starbucks app.

          Ummm ... except law enforcement has been able to do this for some time now [forbes.com].

          I think it's even been covered here -- I didn't think it was news.

          • The article you linked to describes phones with no passcode, or law enforcement brute-forcing the passcode (with a 4 digit code, not terribly difficult). One of its citations describes a tool that doesn't work on modern devices at all. And ultimately when police can't get in using the brute-force methods, they have to send the phone to Apple along with a warrant and Apple has some way to decrypt the system (iirc from earlier articles they also brute-force the pin, just more efficiently by bypassing much of
    • by swinefc (91418) *

      iOS is actually very similar. Without an application like PhoneView or Xcode, just connecting a device will not provide obvious access to per application data that is not explicitly shared. If the device is locked, then access is unavailable even to those methods. If the application itself requested data protection, then even physical access to the flash chips would prove useless. Of course, a developer who decided to store everything in plain text would probably not take the extra strep to request encr

      • iOS is actually very similar. Without an application like PhoneView or Xcode, just connecting a device will not provide obvious access to per application data that is not explicitly shared. If the device is locked, then access is unavailable even to those methods. If the application itself requested data protection, then even physical access to the flash chips would prove useless. Of course, a developer who decided to store everything in plain text would probably not take the extra strep to request encryption. I just wonder why they didn't use the system Keychain. Easy to use and the OS takes care of all these problems.

        First, everything is always encrypted on the iPhone. With no passcode, that doesn't help much because the iPhone itself can read the data. With passcode set, the iPhone needs the passcode to read the data and no way around that. In addition, apps can request that a file is encrypted with a different key, which means the passcode needs to be entered _for that file_. And there's the keychain of course.

        Security risks are: Unencrypted backups to iTunes (there's a switch "encrypt backups". Turn it on). And as

        • by swinefc (91418) *

          Thank you. I didn't realize device specific keys are fused into the processor itself. This would, of course, render my comment about access to the flash chips incorrect.

          Storing it in the keychain (with the correct protection class) would prevent access even for an unencrypted backup.

          Also, specifically asking for per file data protection would prevent access for an unencrypted backup.

          Basically, doing anything other than the bare minimum would have prevented access to the Starbucks data.

          Does anyone have any

          • by mythosaz (572040)

            Apps with root access can see the entire filesystem, yes.

            You'd need (a) a rooted phone, and (b) to have given the application access -- e.g. many backup programs running on rooted phones.

            • by swinefc (91418) *

              Thank you very much for the reply.

              Then how do these malware apps spread or infect devices? Or is that just an over exaggerated example that really doesn't happen.

              • by mythosaz (572040)

                Most Android malware is installed by user choice, from unsavory sources. If you check the "Trust me, I know what I'm doing" box, you can install an .apk file from anywhere.

                Then, in the normal security dialogs, you'll let it do things like send messages or take photos or access the internet -- and then it does just that, except not when you're expecting it.

                Your new app can access "public" spaces in the filesystem, like saved photos, contacts (if allowed), etc. but it can't get data out of another program di

      • by Bungie (192858)
        As far as I know you cannot have an application request root on Android unless it's jailbroken. Only a few system apps have root access (like play store). Once the device is jailbroken there is a system app which can elevate root via a user dialog.
    • I don't see how an app could get data to a computer from a locked Android device unless the app managed to get itself root, or there was some other trick to break into the Android device (physical dumping the RAM), and if an attacker is that sophisticated, pretty much what an app tries to do for security is pointless.

      That doesn't seem terribly convenient. Why don't they do it like Apple does? /snark

      • "If this post is marked Troll, I pissed off a fanboy again." Or maybe you made a snarky post falsely implying Apple doesn't do exactly the same thing, even though they do?
        • "If this post is marked Troll, I pissed off a fanboy again." Or maybe you made a snarky post falsely implying Apple doesn't do exactly the same thing, even though they do?

          Except they don't. Plug in an iPhone and it'll immediately dump its guts to whatever its connected to without requiring interaction with the device itself. It does this by default. Android does not.

          • Utterly false. The phone needs to be unlocked (or the entire contents are encrypted) and the user needs to accept the computer as a trusted device from the phone.
    • unless someone enables debugging and authorizes a computer with its individual key to connect.

      Authorizing an individual computer wasn't introduced until around 4.2 (Jelly Bean 2) or thereabouts [androidpolice.com]. There are still Android devices in use running older operating systems whose manufacturer declines to update the operating system.

  • by Akratist (1080775) on Thursday January 16, 2014 @12:45PM (#45976973)
    Anyone who's ever worked in software has to realize that the incompetent pinheads that they've worked with before are still floating around out there, doing ever more damage, instead of just fading away and working as a greeter at Wal-Mart. I've worked with people whose code was terrible, at best, and who were barely able to get their crap to compile. I've also worked with people who had no concept of security (including storing plain text passwords). They've moved on to other software positions, and are still writing bad code for some surprisingly large names. And then, there's the pressure factor. I was once asked to implement a feature that the same as removing any user validation from a high-dollar enterprise app. I flatly refused, because I could pretty much walk out and be in another job within a couple of days. Would a person who is on edge of technical incompetency, and knowing their prospects are limited, take the same position? No, they'll say "Yes sir!", bang that code out, and move on to the next debacle. Good management would alleviate this, but let's face it -- bad managers are a dime a dozen, too.
    • by dkleinsc (563838)

      Funny story about this point (anonymized to protect the guilty): A former coworker described working with a guy about 5 years ago who wasn't familiar with the concept of an "array", or in fact much else that would imply any kind of structure or competence. He lasted about 3-5 days before he was caught. Well, I decided to move on, and landed a position in another organization, and lo and behold that same guy had been their sole developer for 4 years! In addition, he'd done some work for some small businesses

  • by slapout (93640) on Thursday January 16, 2014 @12:52PM (#45977063)

    Yeah, I'd like a Venti Latte with a shot of espresso and a shot of security vulnerabilities.

  • by Anonymous Coward on Thursday January 16, 2014 @12:52PM (#45977071)

    If you're concerned about data security, you don't have meaningful data on your phone. Most smartphone apps wouldn't pass as prototypes in any serious environment. The entire system is made to look nice first, functionality is a distant second and security doesn't even make the list. Users do not care. It's like credit cards: Convenience trumps all.

    • Quoting the wise AC to get this a little more visible:

      If you're concerned about data security, you don't have meaningful data on your phone. Most smartphone apps wouldn't pass as prototypes in any serious environment. The entire system is made to look nice first, functionality is a distant second and security doesn't even make the list. Users do not care. It's like credit cards: Convenience trumps all.
  • by aviators99 (895782) on Thursday January 16, 2014 @01:05PM (#45977237) Homepage

    First, there's no question that this is an example of a horrible design, and a security flaw that should be fixed.

    But the article is way over-the-top. It talks about "credit card numbers", pretty much implying that they are in clear text (TFA, not the actual report). Credit card numbers are not stored in clear text, nor would the clear text credentials give you access to the credit card numbers.

    Also, this is really an article about bypassing the lock code, and nothing else. Physical access to a computer (phone) can eventually get you more sensitive stuff than a cup of coffee.

    • First, there's no question that this is an example of a horrible design, and a security flaw that should be fixed.

      But the article is way over-the-top. It talks about "credit card numbers", pretty much implying that they are in clear text (TFA, not the actual report). Credit card numbers are not stored in clear text, nor would the clear text credentials give you access to the credit card numbers.

      Also, this is really an article about bypassing the lock code, and nothing else. Physical access to a computer (phone) can eventually get you more sensitive stuff than a cup of coffee.

      I don't think credit card numbers are used by the app, anyway. All it has is my Starbucks card linked to it, which in turn is linked to my credit card. But that's on their web site, not the phone app. Not saying they're doing any better of a job storing my credit card information in their back-end databases, but I'm reasonably sure it's not stored on my phone.

      • by gstoddart (321705)

        I don't think credit card numbers are used by the app, anyway. All it has is my Starbucks card linked to it, which in turn is linked to my credit card. But that's on their web site, not the phone app.

        So, the question one needs to ask is ... if the website is storing your credit card, and the app is storing your password in plaintext ... given your password and knowledge of your Starbucks card (which is apparently on the phone), can someone get into the Starbucks website and actually get to your credit card?

        • AFIAK, the website doesn't allow you to retrieve your credit card; just change it.

        • by brunes69 (86786)

          You can't find out your own CC number on the Starbucks website.

          The only thing someone could do with this "giant hack" is order a free lattee. Seeing how in order to do this "giant hack" they need your phone, why wouldn't they just sell it on eBay. After all you can get many lattes with $200.

  • simply by connecting the phone to a computer

    On first read I thought someone had hacked into their servers over dial-up, but it wasn't that interesting.

  • by magarity (164372) on Thursday January 16, 2014 @01:49PM (#45977677)

    The Starbuck's app requirement list clearly indicates all kinds of terrible behavio including it needs to be able to make calls and read your contacts list. There may be more, but after those two I stopped reading and declined to install. A vendor's app has no need to do these things. I figured if they're already that bad, there's no telling what mischief their app might get up to.

  • That's a Feature (Score:5, Insightful)

    by TangoMargarine (1617195) on Thursday January 16, 2014 @02:01PM (#45977803) Journal

    Firefox (unless you turn on the master password) and Pidgin also store passwords in cleartext. The Pidgin devs explained that this is because they don't want to implement security through obscurity, as anyone with access to the stored plaintext xml file already has access to your computer anyway and could presumably decrypt it if they tried to secure it anyway.

    Admittedly, it's a bit different when we're talking about cell phones.

    • Why exactly is it different when talking about cellphones? The exact same approach still works. What could Starbucks do to improve on this?
      • Well, if you leave your cellphone sitting around, it's a lot easier to steal than a desktop, and somewhat easier than a laptop or tablet. And do you keep your cell locked when you're not using it? How effective is the security on it to a real computer? I'm not knowledgeable about such things so I couldn't say.

  • Someone might steal your phone then... buy you a coffee?

  • I didn't spend much time on it, but this doesn't seem to be the case on Android. First of all, they never store things outside of /data/data/com.starbucks.mobilecard. So only a root application would be able to read things. Secondly, the main sqlite database they seem to be storing things in is encrypted.

  • If the app needed to "store the encrypted password" - what options would it have? It could encrypt and store it - but then it would need some sort of encryption key to do so - and the app would need that key (which would then have to be stored in the app.

    So, what's the solution? We're NOT talking about a password file that can be stored in a hashed manner - that's receiving and verifying passwords, not sending them. Web browsers don't store cookies/tokens in an encrypted manner - if you got them you could

    • by nedlohs (1335013)

      From the article:

      Daniel Wood, a Minneapolis-area computer-security specialist, said he was able to break into the app’s file containing his email address, user name and password. That’s the same file where credit-card information would go, which means it would be exposed if he had entered it, he said in an interview.

      So I suspect the issue is that he thinks CC data might also be available in plain text, but he couldn't be bothered spending the 10 seconds it would take to actually check if that i

      • I agree that the credit card info should NOT be there - but by virtue of the fact that he didn't say it was - I'd assume it is not. I'd also assume Starbucks would just keep CC info on their own web site, not on the phone.

        So - knowing that the app needs to somehow either cache this info in a way it can get it back to login, or have you re-enter the password every time, I'll ask again:

        What SHOULD they have done differently.

    • by cplusplus (782679)
      I'm not sure about iOS, but the Android SDK gives access to a excellent and easy to use crypto libraries, as well as a Keystore [android.com] class to securely store any keys your App generates. Check out the Security Tips [android.com] section of the SDK docs. I would assume iOS and Apple's SDK provide something similar. I would hope they do, anyway.

All life evolves by the differential survival of replicating entities. -- Dawkins

Working...