Geek Answers Handbook

Amazon AppStore Failed message: "Sensitive information, such as password, is reflected in clear text without encryption."

I sent the application to amazon application store and it was rejected with the following information:

Sensitive information, such as password, is reflected in clear text without encryption

Obviously not very good ... however, I looked at the application code. The user's password is stored in personal preferences as an MD5 hash (it goes directly from the text field to the md5 hash file in prefs and is not written or written anywhere as plaintext.

When we send requests to our web API (via http), we publish a header with a username and a hash of the next concatenated string (nonce + timestamp + passwordHash) (along with some other bits).

I suppose this is due to the data in the header, but since it is a hash of the hash that we publish (which is compared by the server with its own password digest that it knows), I'm not really sure why they will have a problem with this.

Any thoughts or ideas on how to resolve this particular failure will be greatly appreciated :-)

Thanks!

+4
source share
2 answers

Just to close the loop. I finished the amazon email and they gave me more details ... it turned out that I am sending the password in clear text on the registration page. everything else was good.

In the end, we got the ssl certificate and used https to register the user, and it was approved. hope that helps someone else :-)

+5
source

Your hash scheme is broken. By hashing a password, and then using this hash, just like you, you simply redefined what a plaintext password is.

One consequence of this is that anyone who accesses your database can log into any account because you have saved the plaintext of your derived password.

I'd:

1) Save the hash (using bcrypt or the like) on the server. Then send a plain text password to the server and rely on SSL for transport security.

2) Use SRP . But DO NOT implement this yourself. It is notorious that it is difficult to implement correctly. It is very easy to make a mistake and end up with an insecure login.

Both are safer than your current system.

0
source

More articles:


All Articles