In last week’s roundup, we discussed the disclosure of a serious vulnerability in Starbucks’s iPhone app. The flaw, which existed for at least 6 months before Starbucks found out, and for a further month after they were alerted, caused all of the user’s credentials to be saved as plain text in a local file.
In essence, once someone achieved physical or remote access to the device and navigated to the file’s location, they would have access to:
* User’s full name
* Device ID
* Geo-location data
* Starbucks authentication ID (which would enable the attacker to purchase lots of lattes and other Starbucks products in the victim’s name)
After originally denying the existence of any vulnerability, Starbucks decided to take the high road and released a new, secure version of their app.
Why is this so significant? Let’s consider the way that both the consumers and Starbucks (eventually) responded. Consumers have had enough on taking responsibility for the insecurity of the systems that they use. On the other hand, companies are realising that they need to provide security to their customers. Whether companies are ready or not, the consumers have already voted hands-down that client-side security is a business problem.
Starbucks might be just a coffee shop – but the same could be said about any retail app with security lapses. Banks are not the only ones that need to worry about app security. Mobile devices are replacing wallets at breakneck speed and security must be part of the offering.