Starbucks iOS app leaves user data in the clear
Usernames, e-mail addresses, passwords, and location data among exposed data.
by Jason Inofuentes Jan 16 2014 Ars Technica
The most popular mobile payment systems in the US may also be among the leakiest. Security researcher Daniel Wood went public with his research Tuesday, revealing that the Starbucks iOS app exposes customers' usernames, e-mail addresses, passwords, and certain location data.
The problem doesn't arise directly from the Starbucks app. Rather, it stems from the cleartext logs maintained by the app's crash analytics software. The software, known as Crashlytics, allows developers to log application data for subsequent analysis in the event of an error. Crashlytics advises its partners to not log sensitive data, such as usernames and passwords. In this instance, the Starbucks app is passing user data along to the session.clslog file without any efforts to conceal it.
...