How to avoid the Starbucks app debacle

Tools

The popular Starbucks mobile app was discovered recently to store credentials in such a way that anyone connecting the phone to a PC can see the passwords and usernames in plain text. First discovered by Security researcher Daniel Wood, the offending log file generated by the app includes an extensive list of geolocation tracking points--essentially a veritable privacy nightmare should the phone be stolen or lost.

Wood publicly disclosed the vulnerability after failed attempts at contacting Starbucks and getting the company to rectify the weakness. As you may expect, this generated a fair amount of publicity after the news was picked up by various publications, forcing Starbucks to release an update last week that addressed the issue. With so many businesses releasing their own apps to complement their services and stand out, how can businesses avoid the same debacle happening to them?

Writing on the issue on Sopho's popular Naked Security blog, Paul Ducklin offers a short list of tips that app developers may want to pay close attention to. For one, Ducklin suggests using a secure storage mechanism such as the Apple Keychain to store passwords or other confidential data; the update apparently saves the log file into the Apple Keychain.

Developers should also "never allow decrypted passwords to be written to disk, even to temporary files." The same applies to sending decrypted passwords across the network--except over a securely encrypted connection such as SSL. You can read the original disclosure on the Starbucks v2.6.1 iOS app here.

For more:
- check out this article at PC Magazine
- check out this blog post on Naked Security

Related Articles:
What you know about password security is probably wrong
New research validates use of password strength meters