Starbucks Phone App Stores Password Unencrypted

JThaddeus writes "The Daily Caller reports a serious security flaw in the Starbucks phone app: 'Starbucks confirmed late Tuesday that anyone could access the unencrypted data stored on the official Starbucks app simply by connecting the phone to a computer – bypassing lock screen or PIN security features with no hacking or jailbreaking necessary.' The linked report is for iOS. No mention of Android, but do you think it is any different?" (Starbucks says they've addressed the problem.)

Re:Hard to have this happen on Android...

[Sockatume]

This is wrong and should be ignored. It's not stored unencrypted in the app's data folders; it's sent unencrypted to the debug log, which is also readable to anyone on the host PC.

Re:Hard to have this happen on Android...

[immaterial]

My mistake - I didn't notice the CW article had multiple pages (derp). It does say this:

Do you feel secure because you use PIN protection on your phone? You shouldn't, says Wood. "You don't need a user's PIN in order to pull raw data off the phone using the tool and methods I have used," he said. "So if a user's phone is stolen, regardless of being PIN-protected, you are able to bypass that and access the apps Library/Cache and pull the session.clslog file."

However, I don't buy it. If this researcher has found a way to bypass the hardware encryption on a locked iOS device, that sounds like a bigger and more interesting security hole than one in a shitty Starbucks app.

Re:When will companies be held liable?

[Jason Levine]

I can't speak to the iOS installations, but Google Play reports that the Starbucks app has between 1 million and 5 million installs: https://play.google.com/store/apps/details?id=com.starbucks.mobilecard [google.com]

If iOS has a similar installation base, we're talking somewhere between 1 million and 10 million affected users.

Most popular smartphone payment app

[sjbe]

Why would anyone use a Starbucks app? My guess is that the security hole affected at most two people: The Starbucks marketing manager who wanted it and the guy who developed it.

The Starbucks app is THE most popular smartphone payment app for retailers out there. It allows you to bring up a barcode on your smartphone screen to pay. On the iPhone it also is aware of when you walk into a Starbucks location and you do not even have to pull up the app thanks to the Passbook on the iphone. You just swipe the screen and it brings the barcode up for payment. Very easy to use and faster than cash or credit card. Payment is behind the scenes with an credit card attached to a Starbucks card. You can have multiple cards and transfer balances between them. If you want to see the future of using a smartphone to pay for products, you should be looking at this app. Starbucks is way ahead of anyone else in implementing this stuff. If you actually go into a Starbucks you'll almost certainly see someone using their smartphone to pay for their drinks.

No I don't work for Starbucks and I'm not promoting or disparaging the product. Merely describing what Starbucks has done. It is attention worthy whether you like Starbucks or not.