Hot beverage powerhouse Starbucks has released an updated version of its iOS app in response to reported security issues that could cause the disclosure of sensitive customer information.
The vulnerabilities, first reported on a security mailing list by researcher Daniel Wood, affected the the company’s popular app, which allows users to participate in the company’s loyalty program, as well as purchase and use in-store credit. As it turns out, the app saved several bits of personal customer information – including, it seems, their credit card numbers – in a clear-text file that is stored, unencrypted, on the device.
This is not quite as bad as it sounds; under normal circumstances, iOS’s sandboxing prevents the information from leaking outside of the app’s own storage, which means that it is reasonably secure as long as it stays on the user’s device. Backing up the phone to iTunes without encryption, however, would potentially leave the plain-text information up for grabs to anyone who has access to your computer. And, if your device happens to be jailbroken, the operating system’s sandboxing won’t be quite as secure.
For these reasons, it’s considered good practice to encrypt all the sensitive information that an app generates – in fact, iOS even provides several easy-to-use programming interfaces that make implementing this level of protection easy for developers. That’s probably the reason why Starbucks, after initially downplaying the significance of the problems reported by Wood, decided to backtrack, issuing a press release on Thursday and quickly moving to release an updated version of its app.
In the end, it’s telling that, despite the fact that this issue has probably affected Starbucks’s iOS app for years, there have been no reports of any information being stolen or otherwise leaked. And now that the update has been released, you can return to ordering your half-caf double-whip soy vanilla spice latte in peace.
by Marco Tabini, Macworld