As promised, we have released an updated version of Starbucks Mobile App for iOS which adds extra layers of protection. We encourage customers to download the update as an additional safeguard measure.
The security bug was the result of excessive and insecure logging being performed by the app, which in some cases included saving passwords in cleartext. The problem came to light when security researcher Daniel Wood published his discovery to the Full Disclosure mailing list earlier this week.
The App Store release notes only list "additional performance enhancements and safeguards" for changes, but it looks like Starbucks has disabled the additional logging that was taking place by Crashlytics. Prior to the fix, the app was logging a large amount of debug data to a file called session.clslog. On certain user interactions, such as signing up for a new account, user details including usernames, passwords, emails, addresses and OAuth tokens were being logged to this file. This meant that if somebody were to gain access to your unlocked phone, they could use software to access that file and potentially obtain sensitive information.
With the update, all of the debug logging appears to have been disabled. While the old session.clslog file still originally appeared for iMore after the update, after restarting the Starbucks app the file was cleared out and left empty. After performing a number of actions in the app, such as signing out, signing in, failed login attempts, and creating a new user account, the session.clslog file remained completely empty. We've reached out to Mr. Wood for comment, but for now it appears that Starbucks has addressed all of the previously discovered issues. If you haven't already, be sure to grab the update.
Extra Credit: If you're interested in validating the fix for yourself, you can use a tool like PhoneView or iExplorer to check the Starbucks app for this file:
Library/Caches/com.crashlytics.data/com.starbucks.mystarbucks/session.clslog. After updating and running the app, this file should be 0 bytes and look empty if you open it in any text editor.
Update: Daniel Wood, the researcher who originally brought this issue to light, has now posted a follow-up confirming that the 2.6.2 update addresses the previous logging issues. You can read his full report over on the Full Disclosure mailing list.