An alarming issue with the way the Starbucks iOS app, popularly used to conduct mobile transactions at the chain of coffee shops, stores its passwords has been uncovered. Late last year security researcher Daniel Wood discovered that the app was storing usernames and passwords unencrypted in clear text directly on the device.
The setup makes it convenient and easy for users to quickly pay for goods without having to constantly enter their account credentials, but it also means any thief able to get their hands on a stolen iPhone with a Starbucks app could easily gain access to a saved account. Wood attempted to contact Starbucks directly about his concerns before going public earlier this week.
When contacted, Starbucks representatives claimed they had made certain security changes to protect user information, but when the app was tested a second time not only were usernames and passwords still easily visible, but Wood also easily access user location info.
Danger seems to be mitigated by the fact that a thief would first need to steal a phone (or at least have some access to it) before they could crack a Starbucks account. Even still, the most damage that could be done amounts to a shopping spree at Starbucks (and as long as auto-refill isn’t activated, once an account balance is drained it’s drained). But if it so happens that the victimized user has the same credentials set up for other accounts, that could potentially spell trouble.
As of now, despite claims to the contrary, account info still seems to be handled in a relatively unsafe manner by the Starbucks app. It raises an important question about convenience over security.