Starbucks Responds to Security Criticism With App Update


Well, that was fast. After facing significant criticism this week over reports that its mobile app is not secure and does not encrypt users’ login information, Starbucks (NASDAQ:SBUX) confirmed Thursday that it is preparing to launch an update to its app that will provide additional “safeguards” for customers. It is still unclear when the world’s largest coffee chain will update its app to Starbucks version 2.6.2, but according to Apple Insider, the company’s CIO promised Thursday that an update is coming “soon” and will ensure that usernames and passwords are no longer stored as plain text.

Starbucks first came under the spotlight earlier this week when one of its own customers, security researcher Daniel Wood, publicly reported on the lack of security Starbucks’s app operates under. Wood first alerted the Seattle-based company in December that storing data about users of its iOS app in plain text and locally on a device leaves users vulnerable to theft if smartphones get left in the wrong hands, but Starbucks spokespeople maintained up until Thursday that the probability of the app being exploited is “very far fetched.”

Unfortunately for the coffee company, though, those claims left Starbucks open for criticism, and led some to report that Starbucks “chose security over convenience” for its iOS app — a rumor that Starbucks wouldn’t let fly. That’s why the chain agreed later in the week to upgrade its app with “extra layers of protection,” effectively assuaging the concern of its users, even if it wouldn’t admit that the update is necessary.

At a time when consumers are concerned about their data’s security more than ever, it’s not surprising that Starbucks conceded and agreed to launch an app update Thursday. It is possible that the chain learned from the mistake of Snapchat, which was told by researchers in January that its data was insecure, and then suffered a wide-spread hack only a few days later when its warnings were not taken seriously. It is thus clear that data vulnerability is now on users’ minds, and companies have no choice but to protect its users against any risks if it wants to avoid criticism.

If you’re still wondering how Starbucks’s app was (and still is) leaving users vulnerable for a theft, it goes like this. Since Starbucks’ app saves customers’ usernames, passwords, and other personal information in plain text, Wood says that a hacker could easily pick up a lost phone, plug it into a laptop, and recover a Starbucks customer’s password without knowing the smartphone’s PIN code. It’s not that easy, though, because in order to access a customer’s information, one would need to access that person’s password, phone, have a computer handy, and know how to access the file.

Thus, it’s understandable why Starbucks maintains that exploitation is unlikely, but the company still needs to put users’ concerns at rest. App developers currently wrestle with the question of convenience versus privacy and security, and in this case, it is clear that security wins, even if it means requiring that customers now always sign into the app with an encrypted password.

More From Wall St. Cheat Sheet