Following yesterday’s report that the official iOS Starbucks app was storing users’ credentials, passwords and GPS location in plain text — a big security no-no — the Seattle coffee maker has quickly pushed an update that seemingly resolves the issue. Or does it?
As we previously reported, security researcher Daniel Wood initially spotted the Starbucks app’s vulnerability. Alerting Starbucks of the issue, he then downloaded an updated version of the app which Starbucks claimed contained “adequate security measures,” only to find that little had changed: all your user data, email addresses, passwords and even your GPS location are stored in plain text. The story blew up, and Starbucks’ CIO wrote an open letter, saying it would be fixed.
Given all of this, it’s a little hard to know what to make of the Starbucks app’s 2.6.2 update, which promises “additional performance enhancements and safeguards.” Last time Starbucks claimed they’d fixed this, nothing had really changed. Could Starbucks have really added encryption of some sort to their app so quickly after all the recent fuss, or is this just another panacea?
To be honest, either way, this is probably not something you have to worry about. The only way a hacker could access your Starbucks data this way is if they had physical access to your device, in which case, you’ve got worse problems than someone mooching free coffee from you.
You can download the Starbucks app (and it’s new, more secure update) from the App Store for free.