Hello,

I started to take a quick look at [1], for a better encryption of the passphrase for all the iOS variants (stored as plaintext ATM). For that I started looking at our neat Pbkdf2 class, from AeroGear-Crypto.

The idea is to store both: the encrypted password + the salt in the database, instead of the plaintext version of the password/passphrase.

Something like here:

https://github.com/matzew/psswd-salting/blob/master/src/test/java/net/wessendorf/salt/LittleTest.java#L35-L43

This works fine on things like logins:

https://github.com/matzew/psswd-salting/blob/master/src/test/java/net/wessendorf/salt/LittleTest.java#L46-L54

However, I am afraid it does not work for the iOS passphrase, required to connect to Apple - looks like the library we use requires it in plain text... (due to Apple? Not sure...)

https://github.com/notnoop/java-apns/blob/master/src/main/java/com/notnoop/apns/ApnsServiceBuilder.java#L159

BTW. here is the relevant usage inside of our UnifiedPush Server:

https://github.com/aerogear/aerogear-unifiedpush-server/blob/master/server/src/main/java/org/jboss/aerogear/unifiedpush/message/sender/APNsPushNotificationSender.java#L146

I am now wondering if there is something we can do for [1], in the long run, not now? 

I see the 'java-apns API' supports passing in a java.security.Keystore, but unfortunately I am not sure if there is an impl. of that which is able to deal w/ encrypted passwords or if something like that might even work at all :-/


Greetings,
Matthias

[1] https://issues.jboss.org/browse/AGPUSH-358

--
Matthias Wessendorf

blog: http://matthiaswessendorf.wordpress.com/
sessions: http://www.slideshare.net/mwessendorf
twitter: http://twitter.com/mwessendorf