Starbucks executives have confirmed that the coffee chain’s mobile payment app has been storing payment credentials in cleartext.

The app, the most widely used mobile payment app in the US, had been storing usernames, email addresses and passwords without them being encrypted, meaning anyone could access the credentials by connecting the phone to a computer.

Starbucks chief digital officer Adam Brotman admitted executives were aware of the issue, saying: "We were aware – this was not something that was news to us."

Some in the security industry have criticised Starbucks for prizing customer convenience over security.

The Starbucks app only requires the customer to enter credentials once to activate the payment option and then enter the password again when adding money.

Although this means customers do not have to go through re-entering data when making a purchase, the credentials then have to be stored on the phone.

How well do you really know your competitors?

Access the most comprehensive Company Profiles on the market, powered by GlobalData. Save hours of research. Gain competitive edge.

Company Profile – free sample

Thank you!

Your download email will arrive shortly

Not ready to buy yet? Download a free sample

We are confident about the unique quality of our Company Profiles. However, we want you to make the most beneficial decision for your business, so we offer a free sample that you can download by submitting the below form

By GlobalData
Visit our Privacy Policy for more information about our services, how we may use, process and share your personal data, including information of your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.

The issue was first revealed by security researcher Daniel Wood, who published some of his researcher 13 January after unsuccessfully trying to contact Starbucks.

Brotman played down customer fears over security, saying Starbucks had added "extra layers of security", without specifying what these "extra layers" were.

However, Wood challenged this dismissal of the security flaws, saying he had re-run tests on an updated Starbucks app with the same results.

This time, Wood also realised that the app had a geolocation history file in cleartext which gave his co-ordinates every time he used the app to locate his nearest Starbucks.

Wood said: "If you grab someone’s phone, you can effectively go through this log and see effectively where this person has been. It’s a bad thing for user privacy.

"You don’t need a user’s PIN in order to pull raw data off the phone using the tool and methods I have used," he added.

"So if a user’s phone is stolen, regardless of being PIN-protected, you are able to bypass that and access the apps Library/Cache and pull the session.clslog file."

Responding to Wood’s findings, Curt Garner, the Starbucks CIO, said, "What you’ve described is fair, at a high level. From a design perspective, this could have potentially happened."

He declined to make any more specific comments, saying he could not talk about security measures in any more detail.

 

Related articles:

Telefónica Digital and Bango team up for direct-to-bill payments for mobile app stores

US Spindle partners with Canadian Signifi for m-payments at vending machines

Vantiv, AT&T to offer new mobile payments solutions for businesses