Starbucks fixes iOS app bugs

A new version has been released which no longer writes the user's personal information to a file that can be accessed by others who have the phone.
Written by Larry Seltzer, Contributor

In response to the reports that their iOS app was writing the user's username and password in clear text to the device, Starbucks has released a new version — 2.6.2 — of that app.

Daniel Wood, the security researcher who found and reported the bug, has analyzed the new version and says that the major security problems in it that he reported have been fixed. He does have one recommendation for the app, but it's not a major issue.

As both Wood and we noted, there has been much exaggerated reporting on this bug. Only the iOS version was ever vulnerable. The user's credit card information was never in the file or otherwise exposed, but the Starbucks card number and balance were. The Starbucks servers were never compromised. There was no vulnerability in the app that would allow an attacker to run malicious code. The vulnerability was not remotely-exploitable; an attacker would need physical access to the phone, and probably need to cable it to a computer to access the data.

Some reports described a PIN bypass method. This is a method for bypassing the Starbucks app PIN in order to get at the data, not a way to bypass the iOS PIN. All the PIN does is to prevent access to the application; it doesn't allow a user browsing the file system from accessing the file.

Our report also jumped to an incorrect conclusion: The app does not need to crash in order for a session.clslog file to be created. The Crashlytics code generated it automatically, prior to the new version, when the app was backgrounded, for example when the user pressed the lock button.

Wood also reports that the geolocation log file is still created, although the app no longer keeps a running list of coordinates, which would allow some tracking of the user's movements. In the new version the app stores only the last location where a customer has used their device. Wood recommends that Starbucks remove this from the file, but doesn't consider it a significant issue.

Editorial standards