Android Developers Blog: Using Cryptography to Store Credentials Safely - security-dev - Jboss List Archives

2025

January

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

Android Developers Blog: Using Cryptography to Store Credentials Safely

PicketLink timed release

How we hacked Facebook with OAuth2...

Anil Saldhana

Wednesday, 20 February 2013 Wed, 20 Feb '13

3:20 a.m.

http://android-developers.blogspot.com/2013/02/using-cryptography-to-stor...

Reply

Show replies by date

Bruno Oliveira

Wednesday, 20 February Wed, 20 Feb

12:27 p.m.

Morning, just be careful with the earlier releases from Android http://code.google.com/p/android/issues/detail?id=40578 -- "The measure of a man is what he does with power" - Plato - @abstractj - Volenti Nihil Difficile On Tuesday, February 19, 2013 at 11:20 PM, Anil Saldhana wrote:

http://android-developers.blogspot.com/2013/02/using-cryptography-to-stor... _______________________________________________ security-dev mailing list security-dev(a)lists.jboss.org (mailto:security-dev@lists.jboss.org) https://lists.jboss.org/mailman/listinfo/security-dev

Reply

Anil Saldhana

4:44 p.m.

I have heard one of the biggest challenges with Android apps is once the phone is rooted, you have access to the APK. Basically any unencrypted secrets/tokens used by the app are vulnerable. At a bare minimum, OAuth interactions require (ClientID + ClientSecret) combination to be saved. On 02/20/2013 05:27 AM, Bruno Oliveira wrote:

Morning, just be careful with the earlier releases from Android http://code.google.com/p/android/issues/detail?id=40578 -- "The measure of a man is what he does with power" - Plato - @abstractj - Volenti Nihil Difficile On Tuesday, February 19, 2013 at 11:20 PM, Anil Saldhana wrote: > http://android-developers.blogspot.com/2013/02/using-cryptography-to-stor... > >

Reply

Bruno Oliveira

4:53 p.m.

-- "The measure of a man is what he does with power" - Plato - @abstractj - Volenti Nihil Difficile On Wednesday, February 20, 2013 at 12:44 PM, Anil Saldhana wrote:

I have heard one of the biggest challenges with Android apps is once the phone is rooted, you have access to the APK. Basically any unencrypted secrets/tokens used by the app are vulnerable.

I think that store any sensitive data unencrypted would be insane. That's the reason why we will encrypt the sensitive data for Android, iOS, JS on AeroGear.

At a bare minimum, OAuth interactions require (ClientID + ClientSecret) combination to be saved.

Don't worry about that, when OAuth2 impl on PicketLink become ready for testing I'll handle this.

On 02/20/2013 05:27 AM, Bruno Oliveira wrote: > Morning, just be careful with the earlier releases from > Android http://code.google.com/p/android/issues/detail?id=40578 > > > -- > "The measure of a man is what he does with power" - Plato > - > @abstractj > - > Volenti Nihil Difficile > > On Tuesday, February 19, 2013 at 11:20 PM, Anil Saldhana wrote: > > > http://android-developers.blogspot.com/2013/02/using-cryptography-to-stor... _______________________________________________ security-dev mailing list security-dev(a)lists.jboss.org (mailto:security-dev@lists.jboss.org) https://lists.jboss.org/mailman/listinfo/security-dev

Reply

4362

days inactive

4362

days old

security-dev@lists.jboss.org

Manage subscription

3 comments

3 participants

tags (0)

participants (3)

Anil Saldhana
Anil Saldhana
Bruno Oliveira