User information, whether it’s preferences for where you buy coffee or application passwords, can be a valuable commodity. That’s why it has long been a best practice to ensure that potentially sensitive data is not just stored or sent in the clear, without first being encrypted.
A pair of incidents this past week helped highlight the fact that modern applications from big-name vendors can still miss this best practice.
One of those companies is coffee giant Starbucks, which was accused this week of not properly encrypting information with its mobile app. A potential attack would only work against the Starbucks app if an attacker had physical access to the device, which could likely also put other user content at risk.
“We’d like to be clear: there is no indication that any customer has been impacted by this or that any information has been compromised,” Curt Garner, Starbucks’ CIO, wrote in an open letter to Starbucks customers on Thursday, Jan. 16. “Out of an abundance of caution, we are also working to accelerate the deployment of an update for the app that will add extra layers of protection.”
That new update for the Starbucks app became available Jan. 17.
In a separate move, social media giant Twitter, as of Jan. 14, at long last is now enforcing the use of Secure Sockets Layer (SSL) encryption for its API users. API users include many third-party tools and widgets, which may also potentially have been used to pass confidential user information.
While I personally don’t have any direct knowledge of the Twitter API being leveraged as part of an attack recently, the fact that the information was passed in the clear is just not a good best practice. In the modern world, user information is valuable, and so too are Twitter accounts. By enforcing SSL for all its users now, Twitter is taking a much needed step to protect the security of its global community.
It’s also a message that the CA (Certificate Authority) Security Council is now pushing in a new white paper titled “Always-On SSL.”
“Always-On SSL is an approach to securing end-user security for the duration of each user’s visit to your Website—from beginning to end,” the white paper states.
There was a time, not all that long ago, when the use of data encryption for both data at rest and data in motion was considered too costly to use everywhere. With an increase in computing power on devices and on servers, it’s a performance cost that has gone down considerably.
Given the risk of privacy and user exploitation that non-protected user data represents, it’s a risk that should not be ignored.
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.