Most app developers have not yet come to a conclusion on whether mobile apps should be secure or easy-to-use. Research findings by Daniel Wood disclosed how Starbucks (NASDAQ:SBUX) was plainly storing the data of their users. As a result, passwords and geological data concerning the users is highly vulnerable to theft cases in the event of iPhone hack. Starbuck’s response to this research indicated their awareness on how vulnerable the user’s data was. However, they expressed confidence on how tough it was for the same data to be exploited by hackers. In fact, none of the 10 million users of the App have raised concerns about lost data.
Starbucks is now working on extra measures aimed at updating their app with some extra level of protection. Before posting the research of his findings publicly, Wood had inquired about the data vulnerability from the company’s technical teams. The failure to respond to this inquiry is what prompted Wood to post his findings publicly.
The custom of companies storing their customer data directly in plain text is not occurring for the first time. RockYou, a social game developer was fined $250,000 in 2012 by The Federal Trade Commission after storing 32 million E-mail addresses together with passwords using plain text format. In the same year, Microsoft Store India was also shown to store their customer’s passwords using a plain text format. This was evident after some Chinese Hackers breached the company’s security system. In 2011, Sony Pictures was attacked by the notorious LulzSec which exposed passwords for over 1 million customers stored in plain text format. Such companies made the personal details of their customers vulnerable to spammers.
According to Tony Anscombe (AVG Technologies head of free products), storing users data in plain text format boiled the debate between the security of details over their convenience. Most of the iOS applications do not store the data of their users on the iPhone locally as Starbucks did it. If this has to happen, Apple’s password management system should be utilized. This means that each user will be required to enter a login username and password whenever they need to use the application. This mechanism might be less convenient but more secure to the customers details.
Starbucks decision to store their customer’s data on the device in plain text is considered as an opposite move. This means that the data can be accessed directly by anyone accessing the phone without the necessity to unlock the device before using it. Additionally, if a hacker connected the phone to a PC, they would easily view the crash log and access the username and password. According to Daniel Wood, the pass code lock integrated on every iPhone does not offer any layer of protection since a hacker does not require a user’s pin to extract data from the phone.
Whenever hackers have access to usernames and passwords for App users, they can easily charge the purchases in Starbucks until all the amount of money pre-loaded runs out. However, it is still possible for Starbucks users to activate an app setting that automatically replenishes their balance on the application. Additionally, hackers could easily withdraw funds repeatedly from the bank account of the user to the application.
There is no confirmation yet on whether the UK version of the App experiences similar security threats. However, according to Wood there is a huge possibility that the same version of the software would definitely be affected. This is because the application is similar and makes use of the GB localization file. According to him, language localization cannot alter the functionality of the app.
The disclosure by Wood has forced several app developers to question on whether it was right to prioritize the ease of use of an application without regarding the level of security and privacy. According to Starbucks, they would rather ensure their application was convenient for the user at the extent of the level of privacy offered.
It is not yet clear on what Starbucks plan to do over the security threat. However, most people believe that the app needs to be updated in order to cover for the existing security flaws. The version tested by Wood was listed as version 2.6.1 which is considered to be the most recent version in the App store. This version has not yet been updated since May 2013.