A recent vulnerability disclosure for the Starbucks iOS app has prompted a discussion about balancing the needs for convenience and security in app design. While some onlookers have decried the safety of the app, which stores user data locally in plain text, Starbucks has downplayed the threat, even as it has promised to release an update. Such intentional “flaws” are instructive for developers, who must consider the degree to which they are willing to implement security safeguards.
Understanding the problem
The Starbucks iOS app flaw was discovered by researcher Daniel Wood, who made the details public after spending two months unsuccessfully trying to contact Starbucks. The issue cited by Wood is that the app stores user credential information – username, email address and password – in plain text on the user’s device, making it possible for someone with access to take the information and log into the account online or on another mobile device. The disclosure notes that app developers should use output sanitization to keep this information from being stored locally in clear text in log files.
Starbucks acknowledged the issue, and executives explained that they were already aware of it, dismissing the idea that it was in any way a threat. The company’s chief digital officer, Adam Brotman, told Computerworld that it “was not something that was news to us,” and spokeswoman Linda Mills told CNN Money that the possibility of the vulnerability being exploited was “very far fetched.”
To exploit the vulnerability, an attacker would have to have physical access to the phone, Computerworld noted. They could then use that access to use up value on the Starbucks account, and, if the account was set to auto-replenish from a bank account, continue racking up charges. They could also access past geolocation data from the user’s account, Wood told the publication after performing a second check. Users would also be at risk if they used the same password for other sites.
In a statement on its website, Starbucks noted that it is not aware of any customers having been a target of the exploit. CIO Curt Garner reassured users that they “should continue to feel confident about the integrity of our iOS app” but noted that an update would soon be coming with “extra layers of protection.”
Balancing convenience and security
The decision to store the user’s credentials locally and in plain text is a practical one for Starbucks, Computerworld noted. Customers just need to use their password when activating the payment function of the app or when adding money to their account. With a different approach, customers might have to enter their password each time they used the app, which would make purchases considerably more complicated. One of the reasons for the app’s popularity is its convenience. But that’s also the challenge it faces.
“A company like Starbucks has to make the choice between usability to drive adoption and the potential for misuse or fraud,” Charlie Wiggs, mobile vendor Mozido’s general manager and senior vice president for U.S. markets, told Computerworld. “Starbucks has opted to make it very convenient. They just have to make sure that their comfort doesn’t overexpose their consumers and their brand.”
Gartner analyst Avivah Litan told the publication that it was surprising Starbucks opted for such lax security and highlighted the fact that customers tend to reuse passwords as the real threat. “Consumers reuse their passwords whenever they can,” she noted. According to Wiggs, the problem might be more that consumers could lose confidence in mobile payments. Tony Anscombe, head of free products at security software company AVG, explained in a blog post that the problem was ultimately that Starbucks had put customers at risk without their consent.
“Companies should be designing apps and online services with their customer’s best interests at heart,” he wrote. “I believe that consumer choice when it comes to data privacy and security should be a major factor in all app design and development. By championing convenience over security, Starbucks has essentially made a choice on the behalf of the consumer that they would prefer convenience over privacy. Most websites give you the option to “remember me” which allows the user to make a choice in what works best for them.”
While the effects of this decision seem minimal beyond stirring up a broad controversy, they do raise an important question for developers to consider when building their own apps: Should they opt for convenience like Starbucks did and risk the fallout, or should they secure features and risk limiting adoption and use? Regardless of their approach, they will want to ensure there are no unintended security flaws, and they can benefit from using tools like static analysis software to scan for potential risks. The convenience versus security debate is a constant point of contention in the software security world, and developers should not head into it unprepared.
Software news brought to you by Klocwork Inc., dedicated to helping software developers create better code with every keystroke.