ZippyYum 3.4 Insecure Data Storage

`Title: [CVE-2013-6986] Insecure Data Storage in Subway Ordering for  
California (ZippyYum) 3.4 iOS mobile application  
  
Published: DATE  
Reported to Vendor: May 2013  
CVE Reference: CVE-2013-6986  
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6986  
  
CVSS v2 Base Score: 4.9  
CVSS v2 Vector (AV:L/AC:L/Au:N/C:C/I:N/A:N/E:H/RL:U/RC:C)  
  
Credit: This issue was discovered by Daniel E. Wood  
http://www.linkedin.com/in/danielewood  
  
Vendor: ZippyYum, LLC | http://www.zippyyum.com  
Application: https://itunes.apple.com/us/app/subwayoc/id510770549?mt=8  
Tested Version: 3.4  
  
File: SubwayOCKiosk.app  
App Name: Subway CA Kiosk  
Build Time-stamp: 2012-06-07_09-20-17  
  
1. Introduction: Subway CA is a mobile application available both on iOS  
and Android based devices that allows customers to build and order food  
menu items that can be paid for through the application using a payment  
card such as a debit or credit card.  
  
2. Vulnerability Description: The application stores sensitive data  
insecurely to cache files located within ../Caches/com.ZippyYum.SubwayOC/  
directory on the device.  
  
Loading Cache.db and/or Cache.db-wal in a tool that can read sqlite  
databases (such as RazorSQL) will allow a malicious user to read  
unencrypted sensitive data stored in clear-text.  
  
Sensitive data elements found within Cache.db and Cache.db-wal:  
- password and encryptionKey for the application/user account  
- customerPassword  
- customerEmail  
- deliveryStreet  
- deliveryState  
- deliveryZip  
- paymentMethod  
- paymentCardType  
- paymentCardNumber  
- paymentSecurityCode  
- paymentExpMonth  
- paymentExpYear  
- paymentBillingCode  
- customerPhone  
- longitude (of device)  
- latitude (of device)  
- email  
  
3. Vulnerability History:  
May 9, 2013: Vulnerability identification  
May 15, 2013: Unofficial vendor notification  
August 4, 2013: Official vendor notification via report  
September 20, 2013: Vulnerability remediation notification*  
December 7, 2013: Vulnerability disclosure  
  
*Current Version: 3.7.1 (Tested: only customerName, customerEmail,  
customerPhone, location, paymentCardType are in clear-text within  
Subway.sqlite-wal)  
`