Menu
Marty McFly Hoverboard is on Kickstarter

Marty McFly Hoverboard is on Kickstarter

$199.99 HP Stream 11 Laptop is On Sale

$199.99 HP Stream 11 Laptop is On Sale

Cara Delevingne Recorded Song with Pharrell

Cara Delevingne Recorded Song with Pharrell

Black Friday 2014 iPad Deals will be Amazing

Black Friday 2014 iPad Deals will be Amazing

Dodge Charger SRT Hellcat Is Very Affordable

Dodge Charger SRT Hellcat Is Very Affordable

Starbucks 'Chose Convenience Over Security' In Leaving iOS App Vulnerable

Jan 16 2014, 4:36pm CST | by , in News

Starbucks 'Chose Convenience Over Security' In Leaving iOS App Vulnerable
Photo Credit: Forbes
 
 

Is it better for mobile apps to be easy-to-use, or secure? It’s a question that app developers constantly grapple with in the face of a competitive landscape, and it can sometimes take a data breach like Snapchat’s to push them in the latter direction.  Earlier this week security researcher Daniel Wood disclosed his findings on how Starbucks was storing data about users of its iOS app in plain text and locally on a device, making passwords and even geolocation data about users vulnerable to theft if the wrong kind of hacker got hold of their iPhone.


Starbucks has said it knows about the app’s vulnerability and that the possibility of it being exploited is “very far fetched.” It says that none of the app’s 10 million users have come forward to claim their data has been misused as a result.

Still, the company is now working on updating its app with “extra layers of protection.” Researcher Wood had approached Starbucks in December about the vulnerability and posted his findings publicly when he didn’t get a response from the chain’s technical teams.

This isn’t the first time a company has been called out for storing its customer data in plain text. The Federal Trade Commission fined social game developer RockYou $250,000 in the spring of 2012 after finding it had stored 32 million email addresses and passwords in plain text. At around the same time, the Microsoft Store India  was shown to be storing passwords in plain text when it was breached by a team of Chinese Hackers, while a year earlier the notorious LulzSec attack on Sony Pictures found more than 1 million customers passwords was being stored in plain text, vulnerable to being stolen and used by spammers.

Habitually storing user data in this way boils down to a question of convenience over security, says Tony Anscombe, head of free products at security software firm AVG Technologies. Most iOS apps don’t store uses data locally on the iPhone as Starbucks did, or they’ll use Apple’s password management system for iOS7, Keychain. It means users have to enter a login and password each time they use an app. “It’s less convenient, but much more secure,” Anscombe wrote in a blog post today.

“Starbucks has done the opposite, storing user data on the user’s device itself and in plain text,” he added. “This means that anyone with access to the phone and the relative know-how can freely access the data stored by the Starbucks app without even having to unlock the device.”

Wood’s disclosure forces app developers to question the larger issue of prioritizing ease of use over privacy and security. In this case, Starbucks had decided on behalf of the consumer that it would “prefer convenience over privacy,” Anscombe added. “While we understand the company’s desire to have more users enjoying their app, it should not be at the cost of securing personal data.”

Source: Forbes

Comments

blog comments powered by Disqus