Security?
0 views
Skip to first unread message
Anders Aagaard
Sep 26, 2009, 8:51:45 AM9/26/09
to ReaderScope
Do you store user passwords, or do you use more safe methods?
Do you always use https for logins?
Do you always use https for logins?
Jayesh Salvi
Sep 26, 2009, 11:27:11 AM9/26/09
to reade...@googlegroups.com
On Sat, Sep 26, 2009 at 6:21 PM, Anders Aagaard <aaga...@gmail.com> wrote:
Do you store user passwords, or do you use more safe methods?
The passwords are stored in a file on the phone after some obfuscation. For someone to get user's password stored by ReaderScope, they will have to go past following three steps:
1. In the Android framework, no app (or user) can access any other apps' internal files. The obfuscated password is stored in one of such files by ReaderScope. However on a rooted phone the person with physical access to the phone (and know-how of Android SDK) can reach to such file.
2. If someone opens the file, the password found will look like a string of numbers and characters which have no resemblance whatsoever with the original password. This is however not an unbreakable code. A knowledgeable person, can figure how to decode that string. It merely protects from accidental disclosure of user's plaintext password, in case the file is opened unknowingly.
3. If someone decodes the string, the result will be a jumbled form of actual password - an anagram. The jumbling is hard coded in the app. But it's not super difficult to break an anagram.
From the above three steps, step 1 is the strongest link and is under user's control. If anyone has suggestions for more secure mechanism, I am willing to consider.
Do you always use https for logins?
Yes, the login with Google happens over https. That's the only supported mechanism by Google.
Thanks,
Jayesh
Anders Aagaard
Sep 27, 2009, 3:41:30 AM9/27/09
to ReaderScope
1 : While this is true on most of the store bought ones, this is not
true on the developer phones.
For a more secure login you can use cookies, requiring the password
only on first start (and again if the cookie expires, which should
take very long).
On Sep 26, 5:27 pm, Jayesh Salvi <jayeshsa...@gmail.com> wrote:
true on the developer phones.
For a more secure login you can use cookies, requiring the password
only on first start (and again if the cookie expires, which should
take very long).
On Sep 26, 5:27 pm, Jayesh Salvi <jayeshsa...@gmail.com> wrote:
Jayesh Salvi
Sep 27, 2009, 3:52:40 AM9/27/09
to reade...@googlegroups.com
For a more secure login you can use cookies, requiring the password
only on first start (and again if the cookie expires, which should
take very long).
Good point. I will see if that works.
Thanks,
Jayesh
Reply all
Reply to author
Forward
0 new messages