Starbucks Confirms Storing Unencrypted Passwords in iOS App (Update)
If you’re a big fan of using the Starbucks app on your iPhone, today’s news might make you change your mind. According to Computerworld, Starbucks confirmed that its iPhone app stored username and password data in plain text and unencrypted.
This means that anyone with access to your phone can see your username and password just by connecting the phone to a computer and viewing the crash logs. Furthermore, if you have Location Services enabled in the app (useful for locating Starbucks locations around you), anyone can also get a list of geolocation tracking points to see where you’ve been.
Starbucks is well aware of how it stores usernames and passwords on the app, but the company says that your personal information is safe anyway, noting that it made changes and implement security measures to make sure that no one can steal your credentials, although the company didn’t mention what these security measures were.
UPDATE: Starbucks has announced on its blog that it is “working to accelerate the deployment of an update for the app that will add extra layers of protection.”
So why aren’t usernames and passwords encrypted on the Starbucks app? Convenience. Users only have to log in once, and from there they can use the app without ever having to log in again. If Starbucks were to encrypt passwords, users would have to log in each time they wanted to use the app. Furthermore, it doesn’t seem like Starbucks is moving quickly to fix this issue, as the app hasn’t been updated in months.
Then again, someone who wanted your Starbucks password would need to steal your phone first, and they would need a little know-how in order to download the right data to their computer in order to see your password. Nonetheless, it’s not exactly comforting knowing that Starbucks really doesn’t seem to care about unencrypted passwords, since convenience is more important to them. And if there’s one thing you should know about brute security, it’s that there’s nothing convenient about it.