Starbucks Admits That Its iPhone Mobile Payment App Stores Unencrypted Personal Info

UPDATE: Starbucks has announced it will release an updated, more secure version of its app.

Starbucks’ chief information officer Curt Garner says there will be a new iOS app that will “add extra layers of protection” to the “added measures” that he claims already “sufficiently address the concerns” referenced in earlier stories about the vulnerability, reports Engadget. There’s no exact date set for the release, however.

——–ORIGINAL POST BELOW————–

Do you use the Starbucks mobile payment app on your iPhone? If so, you might want to keep an extra tight hold on the device, as Starbucks admitted this week that the app stores your username, password and email address in plain text.

The vulnerability was first noted by security researcher Daniel Woods and reported by ComputerWorld yesterday, and it appears to only apply to the iOS app.

Before you go running to uninstall the mobile payment app, which is the most used of its kind in the U.S., know that a hacker would have to have physical access to your phone and plug it into a computer to glean that information. That being said, if someone with even a little bit of hacking smarts did get ahold of your phone, it’d be pretty easy to snag that unencrypted information.

Starbucks customers can use the mobile app to pay for their purchases at the store, and only have to input their password and username when activating the payment part of the app the first time or when they add money to the app. Otherwise customers would have to plug that information in every time they wanted to buy something, which would ostensibly be quite annoying.

The company has been busy acknowledging the security risk, with Chief Digital Officer Adam Brotman telling ComputerWorld that the company has known for some undefined length of time that personal information was being stored in clear text.

“We were aware,” Brotman said. “That was not something that was news to us.”

He added that the issue should no longer be a concern because “we have security measures in place now related to that” and “we have adequate security measures in place now,” without actually saying what those measures were.

Meanwhile, various Starbucks spokespeople have been stressing that the possibility of the vulnerability being exploited is “very far fetched,” according to one spokeswoman who spoke to CNN.

Another spokesman told the Seattle Times that the company has “taken steps to safeguard customers’ information and protect against the theoretical vulnerabilities raised in the report, but we are unable to discuss any of the details because we want to protect the integrity of our security measures.”

As for what will happen next, it would appear that perhaps a newer version of the app could prevent the theft of customers’ information. To that end, the spokesman said Starbucks is “also looking at whether updating the app would add another layer of protection.”

Until there’s an updated version of the app (if that even happens, as The Verge points out Starbucks hasn’t felt the need to update the iPhone version since May), the best thing to do is simply keep your phone with you, always and forever, and cross your fingers that you don’t get robbed or leave it in the back of a cab.

“Anything they have done on their end won’t matter as the vulnerability lies within the application on end user devices,” Woods explains to The Verge.

Insecure Data Storage of User Data Elements in Starbucks v2.6.1 iOS mobile application [Seclists.org]
Evan Schuman: Starbucks caught storing mobile passwords in clear text [ComputerWorld]
Starbucks iPhone app vulnerable, security specialist says [Seattle Times]
Starbucks admits its iPhone app stores unencrypted user passwords [The Verge]
Starbucks app leaves passwords vulnerable [CNN]