Does Starbucks’ mobile app do enough to protect user information?
Starbucks has come under fire in the tech world this week for the security measures -- or lack thereof -- that it uses to protect user information stored within its mobile payment app.
Security researcher Daniel Wood published a report Monday that says Starbucks stores user passwords, email addresses, user names and GPS location files in plain text in its mobile payment app -- a claim that has been confirmed by the coffee company.
Potentially, this put users at risk should anyone steal their smartphone. By connecting the device to a computer, they could download all of the information above within 30 minutes, whether the smartphone is protected with a security code or not.
“We were aware,” Starbucks Chief Digital Officer Adam Brotman told Computerworld. “That was not something that was news to us.”
Starbucks has chosen to keep users’ information stored on their device in plain text because it makes using the app more convenient. Users simply log in once and can then use the app to pay for coffee without ever loggin in again.
Encrypting passwords and storing them in Starbucks’ own, secure servers would ultimately result in users having to log in every time they want to use the app, much like users of mobile banking apps.
The potential for users to have their information exposed is limited -- they must first have their device stolen. But in an era when users are having their privacy compromised left and right (see: Snapchat, Target) it raises the question of whether Starbucks should do more to protect its users.
What do you think? Weigh in through the comments.
Your guide to our new economic reality.
Get our free business newsletter for insights and tips for getting by.
You may occasionally receive promotional content from the Los Angeles Times.