[aerogear-dev] Strange encrypted store behavior

Douglas Campos qmx at qmx.me
Tue Jan 14 08:53:43 EST 2014


On Tue, Jan 14, 2014 at 09:46:38AM +0100, Corinne Krych wrote:
> In AGPasswordKeyServices the password is stored in secure local
> storage (KeyChain for iOS, KeyStore for Android), therefore you could
> do a password check at login time as stated in your workflow. I think

Wait, password is stored? ouch - we need to fix this!

No matter how secure is the keystore, it's mandatory for us to use a
key-derivation scheme, or at least the traditional salt+hash. Reversible
encryption is asking for trouble :P

-- 
qmx


More information about the aerogear-dev mailing list