App Testing and Sins of Omission
Starbucks released a mobile app that stored passwords in clear text. There's a good chance that a lot of other companies just don't know whether they could find themselves in the same situation.
Tue, January 28, 2014
Computerworld — The Starbucks passwords-in-the-clear boo-boo has begun to fade now that the company has fixed the errant mobile-payment app. But it's clear that the situation is a major heads up, not for Starbucks security, but for all developers of mobile apps.
It looks more and more like Starbucks committed a sin of omission. The coffee chain tested its app before it was released back in May 2013, but it didn't look at everything that was being saved. It primarily was checking that everything worked as it was supposed to.
That kind of security sin of omission is one that a huge number of large companies are guilty of, especially when it comes to mobile apps.
Starbucks' official stance is that management did not know that an app-crash analytics program -- called Crashlytics and purchased by Twitter last year -- was storing passwords in clear text when it captured data to facilitate recovery after a crash. As spokesperson Linda Mills said, "We knew in May 2013 of the existence of the temporary crash log file for crash diagnostics, but did not know that the clear text contained account user name and password." I have talked to a person who is familiar with the early testing, however, who told me that management knew that passwords were being retained in clear text. What's the truth? I don't know. It could be that there were people in IT who knew about the password problem but didn't communicate that properly through channels.
But there's a bigger issue here, and it's about a lot more than just Starbucks. I'm talking about an assumption that I believe a lot of companies are prone to make when developing apps: There's no reason to suspect that sensitive information is being captured and displayed. With that assumption, no one looks for that sort of thing. And then it comes as a big surprise that, hey, yeah, that very thing is in fact happening.
Here's my message to all companies that might take that attitude: You have to view mobile apps as the informationally dangerous critters that they are. That means a lot more testing, including deeply peering to see what these apps are doing.
You say you don't have the time or money to do that? I disagree. When security researcher Daniel Wood examined the Starbucks files and performed static analysis, he didn't have a large budget, and it didn't take a huge amount of time. "This type of testing focuses on what type of data elements are being stored on the disk, whether in temporary cache files, memory, or permanent data files that are used for normal operation," Wood said. "It also includes analyzing application files for improper programmatic methods or functions being utilized and usually includes what is called secure code review to determine if an application is sanitizing input and output properly, among other concepts."