As most people know, a cup of coffee can wake you up from a drowsy state. Security experts say Starbucks’ mobile app should wake developers and users to how insecure smart phone apps can be.
Last week security researcher Danile Wood reported that Starbucks iOS app saved personal customer information in a clear-text file that could in theory be captured by a hacker.
Under normal circumstances, TechHive said, that wouldn’t be a problem as long as the data stays on the device. However, backing up to iTunes without encryption could expose the data.
But as a result of the controversy the story raise, Starbucks updated the app
“We’d like to be clear: there is no indication that any customer has been impacted by this or that any information has been compromised,” Starbucks CIO Curt Garner said in a release. “Regardless, we take these types of concerns seriously and have added several safeguards to protect the information you share with us. To protect the integrity of these added measures, we are unable to share technical details but can assure you that they sufficiently address the concerns raised in the research report.”
“Out of an abundance of caution, we are also working to accelerate the deployment of an update for the app that will add extra layers of protection. We expect this update to be ready soon and will share our progress here. While we are working on the update, we would like to emphasize that your information is protected and that you should continue to feel confident about the integrity of our iOS app.”
In a follow-up Antone Gonsalves noted in PCWorld quoted several security experts who said the incident should be a wakeup to mobile developers that any app that stores usernames and passwords should encrypt the data.
These days — with data thefts reported from major U.S. retail chains including Target and Neiman Marcus — organizations have to remember that encrypting data with sensitive information has to the norm.