Starbucks Phone App Stores Password Unencrypted

JThaddeus writes "The Daily Caller reports a serious security flaw in the Starbucks phone app: 'Starbucks confirmed late Tuesday that anyone could access the unencrypted data stored on the official Starbucks app simply by connecting the phone to a computer – bypassing lock screen or PIN security features with no hacking or jailbreaking necessary.' The linked report is for iOS. No mention of Android, but do you think it is any different?" (Starbucks says they've addressed the problem.)

When will companies be held liable?

When will companies be held liable for implementing incompetent security (or not implementing it all)?

The marketing weenies are all over getting the brand out, but don't give a shit about security.

Companies should be getting fined for crap like this. Between data beaches and gross incompetence at any form of security, trusting a marketing app is the height of stupid.

Re:When will companies be held liable?

[Sarten-X]

Never. Per the last few hundred years of legal precedent, the companies are the victims. It's in the same category as leaving a house unlocked. Legally, the person at fault is the one who decided to abuse the flaw and access information they aren't supposed to.

There is a case for negligence, but that requires that the negligent party be unreasonably incompetent, and at the moment, most companies with these kind of security problems are performing on par with most of America - the non-techies who don't understand security.

Re:When will companies be held liable?

[mlts]

Inductive reasoning states never.

Look at historic security breaches in the past that resulted in massive data compromise. Most companies that were breached are back to their stock norms, or perhaps even higher [1] a few quarters after the incident. Couple this with the belief that security has no ROI...

I wouldn't expect anything to change anytime soon.

[1]: I remember being told by an MBA that all press is good press, so a security breach is still getting a company name in front of people's eyes/ears where they may never have gotten with normal advertising methods.

Re:When will companies be held liable?

[geogob]

Never. Per the last few hundred years of legal precedent, the companies are the victims. It's in the same category as leaving a house unlocked. Legally, the person at fault is the one who decided to abuse the flaw and access information they aren't supposed to.

Have fun trying to sell that to your insurance company.

Re:When will companies be held liable?

[gstoddart]

but that requires that the negligent party be unreasonably incompetent

Oh, I don't know ... storing passwords in plain text sounds pretty unreasonably incompetent since we've known for 30+ years it's a stupid idea.

It's not like there should be anybody who doesn't know that yet. At least not anybody you should be trusting to write code.

Re:When will companies be held liable?

[Flatwater]

I suspect that if you read the EULA you clicked through, not only did you agree not to hold them liable for their crappy software, you also gave them permission to burn down your house and shoot your dog.

Re:When will companies be held liable?

[aviators99]

There is a case for negligence

Not if there are no damages. I don't see anything about anyone losing money yet.

Re:When will companies be held liable?

I don't know where you live, but throughout most of the world content insurance covers theft.

Both break and enter as well as trespassing don't require the door to be locked. Theft doesn't depend on either of the above cases to be met (if your ladder sticks up over your fence, or your lawnmower is sitting on public land (an easement), or your door mat is sitting outside an apartment unit in a common space, theft is still "depriving someone of lawfully acquired property without the permission of the owner nor the intention to return the item without damage or use".

Content insurance is optional for MOST insurance plans, but that doesn't for a second mean it's "not available".

If a thief walked into your home and jacked a TV because a window was left unlocked, and your insurance company denied the claim on those grounds, it's time to change to a new insurance company. They may ask that you do something to prevent such issues from occurring in the future ELSE your rates may go up, but they cannot deny a claim unless they can prove intentional negligence on the owner's part (like hanging a "free" sign on something and wondering why it went missing)

Re:When will companies be held liable?

[Antipater]

Not the company, the app. I know my first thoughts when seeing this story were "Starbucks has an app? What? Why?"

Re:When will companies be held liable?

[Aaden42]

Before you have grounds for a suit based on liability, you have to show harm that wasn’t already reimbursed by anyone who you might seek to hold liable.

There’s no “harm” done to you by having your password stored in the clear on your device. If someone got that password, used it to run up charges on your account, then there’s harm done. If Starbucks policy results in you being refunded and not being held accountable for those charges, then there’s still no harm. You’ve already been made whole in monetary terms before any legal proceeding might have commenced, QED no grounds for any legal proceeding.

Also, as others have pointed out, the harm isn’t actually perpetrated by Starbucks in this case. It’s done by whoever got your phone, extracted the password, and used it for mayhem. A defense attorney for Starbucks would make a (rather valid IMHO) argument that by allowing someone else to take your phone and plug it into their computer, you failed to take reasonable actions to secure your own system. At best, Starbucks is responsible for only a portion of the liability, and then you’re talking civil juries deciding percentages of fault to assign damages.

I do think the “left your house unlocked, got robbed” analogy is a bit off for this though. As far as the user could reasonably know, setting a lock code on your phone should be enough to qualify as “locking the house.” Unbeknownst to the user/homeowner, there was a flaw in the lock that allowed it to be trivially picked even if it was properly locked. Some liability is due the lock maker in this case, as it could be reasonably argued the product wasn’t fit for the purpose it was sold. I don’t think that applies quite as cleanly to Starbucks in this case as 1) the app is free (not sold), and 2) the app’s purpose for which it’s marketed isn’t to keep your password secure. That’s something one might expect/hope of it, but it’s a stretch to turn that expectation into grounds for a lawsuit.

The harm in any such case is likely to be well below that of the legal fees to pursue it unless you manage to get them on some statutory minimum penalties (in excess of the actual value of the harm) or turn it into a class action which would require significant numbers of people who were actually harmed (their passwords were used). I’m not aware of any such statute for something like this. Maybe some kind of treble damages thing for gross negligence, but you’re still talking triple the cost of a couple of cups of coffee, so not something worth suing over. Given how trivially, stupidly easy it is in iOS to store a password like this in Keychain in such a way that it can’t be dumped by simply plugging in the device, calling this gross negligence isn’t much of a stretch.

The only way to fix something like this would be to pass new legislation that specifically creates a tort for the act of storing user’s credentials (or perhaps PII in general) in an insecure manner. I’d personally like to see that done, but the details of how to define “a secure manner” and what information should be covered would take a lot of work to hash to prevent loopholes or making it so onerous that developers couldn’t actually comply with it for any non-trivial app.

Re:When will companies be held liable?

[Jason+Levine]

I can't speak to the iOS installations, but Google Play reports that the Starbucks app has between 1 million and 5 million installs: https://play.google.com/store/apps/details?id=com.starbucks.mobilecard

If iOS has a similar installation base, we're talking somewhere between 1 million and 10 million affected users.

Re:When will companies be held liable?

[dkleinsc]

It's in the same category as leaving a house unlocked.

That analogy is incorrect. In a correct analogy, the locksmith installed a lock that he swore up and down would protect your home, you locked the door thinking you were fine, and then somebody came in and stole a bunch of things. And that would in fact make the locksmith liable, especially if there was a written guarantee on the lock and the locksmith's work (but even if not, there's the implied warranty of merchantability that says that he's still liable).

And as soon as you look at the case that way, Starbucks is being negligent, just like the locksmith was in our analogous scenario. The key factor here is that the victim of the crime is not the person who left themselves vulnerable to it through their own stupidity.

Bad Coffee, Bad App

What's the difference? Patronize a local shop that doesn't over-roast the coffee.

Re:Bad Coffee, Bad App

[malakai]

Love my mocha's. Can't tell you how many times I got to a 'local' coffee house and get a crap mocha. Some like to put store bought chocolate syrup in it, others like to add a mocha powder without first turning it into a wet paste. I've had Swiss Miss packets added to a late and told this was their 'Cafe Mocha'.

All in all, I can count on one hand the number of good cafe mocha's I've had at 'local' coffee houses.

On the other hand, every Starbucks I got into, anywhere in the world, seems to have the same Cafe Mocha. It's as if they had a recipe and the barista's were trained to make it. I like being in a town for the first time in my life, finding a Starbucks and feeling a little bit like being at home.

In the end, I reward any store on it's quality, I don't stereotype a store based on it's number of locations or perceived local community value. Would you patron a crap restaurant just because it's "local"?

Re:Bad Coffee, Bad App

[hawguy]

Love my mocha's. Can't tell you how many times I got to a 'local' coffee house and get a crap mocha. Some like to put store bought chocolate syrup in it, others like to add a mocha powder without first turning it into a wet paste. I've had Swiss Miss packets added to a late and told this was their 'Cafe Mocha'.

All in all, I can count on one hand the number of good cafe mocha's I've had at 'local' coffee houses.

On the other hand, every Starbucks I got into, anywhere in the world, seems to have the same Cafe Mocha. It's as if they had a recipe and the barista's were trained to make it. I like being in a town for the first time in my life, finding a Starbucks and feeling a little bit like being at home.

In the end, I reward any store on it's quality, I don't stereotype a store based on it's number of locations or perceived local community value. Would you patron a crap restaurant just because it's "local"?

I think you are confusing quality with consistency... At Starbucks you are getting a known quality, it may not always be the best but its always the same. Independent places can be hit and mis, but usually once you find one that makes a product you like, its always good there. I have a good number of coffee shop choices and I go to one for a good latte and another for a good iced coffee (with coffee ice cubes too). But when I travel I usually go to Starbucks because I know its the same everywhere.

Re:Bad Coffee, Bad App

[Joce640k]

Yep.

Why on earth would anybody need a "Starbucks App". With sensitive information in it, and a password.

What information is there to hack? If it's anything more than where the nearest store is and you coffee preference then you're DOING IT WRONG.

Hard to have this happen on Android...

[mlts]

On Android, a phone will appear as a storage device or camera, unless someone enables debugging and authorizes a computer with its individual key to connect.

I don't see how an app could get data to a computer from a locked Android device unless the app managed to get itself root, or there was some other trick to break into the Android device (physical dumping the RAM), and if an attacker is that sophisticated, pretty much what an app tries to do for security is pointless.

Re:Hard to have this happen on Android...

[Sockatume]

This is wrong and should be ignored. It's not stored unencrypted in the app's data folders; it's sent unencrypted to the debug log, which is also readable to anyone on the host PC.

Re:Hard to have this happen on Android...

[immaterial]

The summary is wrong. If you dig back to the original ComputerWorld article, it says, "The credentials were stored in such a way that anyone with access to the phone can see the passwords and usernames by connecting the phone to a PC. No jailbreaking of the phone is necessary." Nothing about bypassing the pin in a locked phone like the summary or shitty article the summary links to; you have to connect the phone to a computer, have it unlocked, and allow the computer access to the phone (this applies to iOS as well as Android). Even the ComputerWorld article's mention of jailbreaking is a bit of a non-sequitur.

Re:Hard to have this happen on Android...

[swinefc]

iOS is actually very similar. Without an application like PhoneView or Xcode, just connecting a device will not provide obvious access to per application data that is not explicitly shared. If the device is locked, then access is unavailable even to those methods. If the application itself requested data protection, then even physical access to the flash chips would prove useless. Of course, a developer who decided to store everything in plain text would probably not take the extra strep to request encryption. I just wonder why they didn't use the system Keychain. Easy to use and the OS takes care of all these problems.

Android question... I realize that an app by default doesn't have access to other app's per user data, but can an app request root or access an other's data in a permissions request presented to the user? My concern with Android security has always been that lay people do not read or even understand the implications of permission dialogs presented to them. So, could another malicious app gain access to the Starbucks data through laziness or ignorance of the user?
 

Re:Hard to have this happen on Android...

[immaterial]

My mistake - I didn't notice the CW article had multiple pages (derp). It does say this:

Do you feel secure because you use PIN protection on your phone? You shouldn't, says Wood. "You don't need a user's PIN in order to pull raw data off the phone using the tool and methods I have used," he said. "So if a user's phone is stolen, regardless of being PIN-protected, you are able to bypass that and access the apps Library/Cache and pull the session.clslog file."

However, I don't buy it. If this researcher has found a way to bypass the hardware encryption on a locked iOS device, that sounds like a bigger and more interesting security hole than one in a shitty Starbucks app.

Re:Hard to have this happen on Android...

[immaterial]

"If this post is marked Troll, I pissed off a fanboy again." Or maybe you made a snarky post falsely implying Apple doesn't do exactly the same thing, even though they do?

Is this really a surprise?

[Akratist]

Anyone who's ever worked in software has to realize that the incompetent pinheads that they've worked with before are still floating around out there, doing ever more damage, instead of just fading away and working as a greeter at Wal-Mart. I've worked with people whose code was terrible, at best, and who were barely able to get their crap to compile. I've also worked with people who had no concept of security (including storing plain text passwords). They've moved on to other software positions, and are still writing bad code for some surprisingly large names. And then, there's the pressure factor. I was once asked to implement a feature that the same as removing any user validation from a high-dollar enterprise app. I flatly refused, because I could pretty much walk out and be in another job within a couple of days. Would a person who is on edge of technical incompetency, and knowing their prospects are limited, take the same position? No, they'll say "Yes sir!", bang that code out, and move on to the next debacle. Good management would alleviate this, but let's face it -- bad managers are a dime a dozen, too.

Re:Is this really a surprise?

[dkleinsc]

Funny story about this point (anonymized to protect the guilty): A former coworker described working with a guy about 5 years ago who wasn't familiar with the concept of an "array", or in fact much else that would imply any kind of structure or competence. He lasted about 3-5 days before he was caught. Well, I decided to move on, and landed a position in another organization, and lo and behold that same guy had been their sole developer for 4 years! In addition, he'd done some work for some small businesses on the side, and screwed up their stuff too.

So don't hate these people too much: Reasonably competent people like me can make very good money cleaning up their messes!

My Order

[slapout]

Yeah, I'd like a Venti Latte with a shot of espresso and a shot of security vulnerabilities.

Nobody gives a fuck

If you're concerned about data security, you don't have meaningful data on your phone. Most smartphone apps wouldn't pass as prototypes in any serious environment. The entire system is made to look nice first, functionality is a distant second and security doesn't even make the list. Users do not care. It's like credit cards: Convenience trumps all.

A bit over-sensationalized

[aviators99]

First, there's no question that this is an example of a horrible design, and a security flaw that should be fixed.

But the article is way over-the-top. It talks about "credit card numbers", pretty much implying that they are in clear text (TFA, not the actual report). Credit card numbers are not stored in clear text, nor would the clear text credentials give you access to the credit card numbers.

Also, this is really an article about bypassing the lock code, and nothing else. Physical access to a computer (phone) can eventually get you more sensitive stuff than a cup of coffee.

Re:A bit over-sensationalized

[Anonymous+Psychopath]

First, there's no question that this is an example of a horrible design, and a security flaw that should be fixed.

But the article is way over-the-top. It talks about "credit card numbers", pretty much implying that they are in clear text (TFA, not the actual report). Credit card numbers are not stored in clear text, nor would the clear text credentials give you access to the credit card numbers.

Also, this is really an article about bypassing the lock code, and nothing else. Physical access to a computer (phone) can eventually get you more sensitive stuff than a cup of coffee.

I don't think credit card numbers are used by the app, anyway. All it has is my Starbucks card linked to it, which in turn is linked to my credit card. But that's on their web site, not the phone app. Not saying they're doing any better of a job storing my credit card information in their back-end databases, but I'm reasonably sure it's not stored on my phone.

Re:A bit over-sensationalized

[gstoddart]

I don't think credit card numbers are used by the app, anyway. All it has is my Starbucks card linked to it, which in turn is linked to my credit card. But that's on their web site, not the phone app.

So, the question one needs to ask is ... if the website is storing your credit card, and the app is storing your password in plaintext ... given your password and knowledge of your Starbucks card (which is apparently on the phone), can someone get into the Starbucks website and actually get to your credit card?

In which case, this would be a security risk because you're only really one hop from the CC info.

If this password is also how you log into the website, then it's still terrible security and not really going to deter anybody.

Quality is a complicated thing

[sjbe]

I think you are confusing quality with consistency...At Starbucks you are getting a known quality, it may not always be the best but its always the same. Independent places can be hit and mis, but usually once you find one that makes a product you like, its always good there

And you seem to be confusing quality with preference. Preference can be a component of quality but quality is more complex and some aspects of quality have a strong subjective component. Part of quality is fitness for a particular purpose, part of it is consistency of output, part of it is the relative superiority of the product, part of it is conformance to specifications, etc. Reliability, sustainability, serviceability and other factors may play a role.

You cannot really define quality solely in terms of customer preferences because customers often prefer things that are objectively inferior or even dangerous by some measure. We have customers at my company all the time that specify products that if built to their specs would not meet industry standards would fail in the field. What the customer thinks they want isn't always what they actually want.

When it comes to Starbucks products, they have very good quality by some measures. Their quality on more subjective measures depends on who is doing the evaluation. Obviously a lot of people like their products and are willing to pay a lot for them. Others not so much. I think a lot of people just dislike Starbucks not so much based on their merits of their products but rather based on a more vague dislike of the corporation or the experience of the place.

Always look at the app requirements

[magarity]

The Starbuck's app requirement list clearly indicates all kinds of terrible behavio including it needs to be able to make calls and read your contacts list. There may be more, but after those two I stopped reading and declined to install. A vendor's app has no need to do these things. I figured if they're already that bad, there's no telling what mischief their app might get up to.

That's a Feature

[TangoMargarine]

Firefox (unless you turn on the master password) and Pidgin also store passwords in cleartext. The Pidgin devs explained that this is because they don't want to implement security through obscurity, as anyone with access to the stored plaintext xml file already has access to your computer anyway and could presumably decrypt it if they tried to secure it anyway.

Admittedly, it's a bit different when we're talking about cell phones.

Re:omg starbucks gift card numbers at risk

[BronsCon]

The app also links to one or more credit cards, to refill the Starbucks cards. Seems to me that, if I had your password, I could add my own Starbucks card to your app, transfer all your card balances to it, load it up from your credit card(s), and remove it from your app. And hey, wouldja lookit that? I just emptied out your checking account because one of those credit cards was actually a Visa check card. Oh damn.

I use the Starbucks app, but will remove it from my phone now, until this issue has been provably fixed (and not just a "we've fixed it" from the marketing monkeys who caused it to begin with).

Most popular smartphone payment app

[sjbe]

Why would anyone use a Starbucks app? My guess is that the security hole affected at most two people: The Starbucks marketing manager who wanted it and the guy who developed it.

The Starbucks app is THE most popular smartphone payment app for retailers out there. It allows you to bring up a barcode on your smartphone screen to pay. On the iPhone it also is aware of when you walk into a Starbucks location and you do not even have to pull up the app thanks to the Passbook on the iphone. You just swipe the screen and it brings the barcode up for payment. Very easy to use and faster than cash or credit card. Payment is behind the scenes with an credit card attached to a Starbucks card. You can have multiple cards and transfer balances between them. If you want to see the future of using a smartphone to pay for products, you should be looking at this app. Starbucks is way ahead of anyone else in implementing this stuff. If you actually go into a Starbucks you'll almost certainly see someone using their smartphone to pay for their drinks.

No I don't work for Starbucks and I'm not promoting or disparaging the product. Merely describing what Starbucks has done. It is attention worthy whether you like Starbucks or not.