Welcome to securityCRUSH

Welcome to the securityCRUSH blog, a place where you can find random musings as well as postings relevant to information security, penetration testing, and my latest projects - Daniel Wood.

Thursday, March 20, 2014

Starbucks revisited

Product: Starbucks iOS mobile application
Version: v3.0 (pre-release)
Vendor: Starbucks Coffee Company

The Starbucks iOS v2.6.1 mobile application was tested in November of 2013, and publicly reported on January 13, 2014 on the Full Disclosure security mailing list here.  The findings centered on the insecure storage of user data elements within a third-party API's (Crashlytics) log file, session.clslog.

In coordination with Starbucks, on January 17, 2014, the Starbucks iOS v2.6.2 mobile application, an emergency fix, that was pushed to address the issues identified in v2.6.1, was independently tested to confirm that the updated application was not logging sensitive user data elements to this log (or any other) file.  Results from the testing, as well as clarifications from the first round of testing were posted to the Full Disclosure security mailing list here.

Due to the aforementioned independent testing, Starbucks extended an invitation to test their latest version of their mobile application (v3.0) prior to the public release of the application.

Summary of Findings
Exhaustive testing was conducted on the Starbucks v3.0 iOS mobile application, covering the range of the OWASP Top 10 Mobile Risks utilizing a combination of automated and manual static and dynamic analysis methods.  No vulnerabilities were identified during the testing of the mobile application.  An exhaustive and detailed report was provided to Starbucks on March 3, 2014 prior to the public release of v3.0 of their iOS mobile application.