I don't see a need for having to store 1 password or master key. I am very
impressed with the work that has done into this app. A job very well done!
Thank you. It is exactly what I have been looking for and it has allot of
potential for other apps. ega
For more information:
http://code.google.com/p/openintents/wiki/CryptoIntents
I wouldn't worry about MD5 vs. SHA1 when there's plaintext passwords being
serialized into Intents and sent around the system for anyone to read.
The master password is never sent over any intent, and no other application
except OI Safe ever gets to see it.
(Individual passwords for web sites are copied to the copy&paste buffer if
the user wishes so.)
I wasn't talking about the master password, but about the passwords
encrypted with the master password.
My point is, if you're looking at the overall security of things, it'll be
easier intercepting ACTION_SET_PASSWORD than trying to exploit a weakness
in MD5 in order to get at them.
I'm assuming here that an attacker's intent (excuse the pun) is to get at
the passwords stored in OI Safe; obtaining the master password would then
only be a means to an end the attacker can bypass completely.
That's why we require apps that want to use these intents to have the
necessary OI Safe permissions. The user has to grant these permissions at
installation time. Apps without them can't access the intents.
Of course this does not exclude the possibility that an app which got the
permission by the user is a malicious one... so the final responsibility
lies at the end user.
Permissions don't enter the picture. It takes all of five minutes to create
an app that receives ACTION_SET_PASSWORD and looks pretty much like OI Safe
to Joe User. It's got your password. End of story.
Yes, it would be a lot nicer if it could pass the password on to the real
OI Safe in order to fool the user more efficiently. Yes, it would need OI
Safe permissions for that. No, it would not be a problem to create a
legitimate app that wants those permissions, and at the same time
maliciously intercepts ACTION_SET_PASSWORD.
The point isn't that OI Safe is broken. I'm not saying that. What I *am*
saying is that any security concept will be attacked at it's weakest point,
and the weak point with OI Safe is *not* MD5. It's that it's *incredibly*
easy to phish for passwords from Joe User if you send them around in
Intents.
when i downloaded oi i did not get the master password and therefore cant
now get in and its only place i have a really important peice of
information can anyone help please? xx