Currently the OTP demo sends HTTP requests to retrieve the shared secret, which is not dead wrong, but defeats the purpose ofrom the security aspect. If we follow the same approach from AGDROID, I think we will be in a good shape.