Starbucks will update its iOS app to address security concerns


Earlier today we told you about a report that raised security issues concerning the Starbucks iPhone app. A researcher discovered that the most used mobile-payment app in the US stores unencrypted user data like passwords and emails.

The problem with this is that by connecting your iPhone to a computer, someone could easily retrieve this info from a crash log—no jailbreak required. And the only way for Starbucks to fix the vulnerability is through an App Store update…

Initially, it didn’t sound like the company was going to address the issue. Executives said that Starbucks already had “security measures in place” to ensure safety. But all of the negative PR it’s been receiving must have changed their tune.

Here’s the press release:

“Your security is incredibly important to us. This week a research report identified theoretical vulnerabilities associated with the Starbucks Mobile App for iOS in the event a customer’s iPhone were to be physically stolen and hacked.

We’d like to be clear: there is no indication that any customer has been impacted by this or that any information has been compromised. Regardless, we take these types of concerns seriously and have added several safeguards to protect the information you share with us. To protect the integrity of these added measures, we are unable to share technical details but can assure you that they sufficiently address the concerns raised in the research report.

Out of an abundance of caution, we are also working to accelerate the deployment of an update for the app that will add extra layers of protection.”

Starbucks says that the update should be ready soon and it would share its future progress on the blog. It also wanted to reiterate that all customer info is protected, and users should continue to feel confident in the integrity of its iOS app.

Concerns regarding the Starbucks app were first raised last November, when security researcher Daniel Wood discovered  it was keeping confidential data in a plain text file. Wood said he tried contacting the company several times, to no avail.