Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
I’ve inherited a mobile app which sends auth credentials (userid/password) in the clear.
I’d imagine that I have 2 choices: a) use TLS. b) write my own auth protocol.
If I choose (b) what are the key guidelines that I must follow to make it it secure. e.g. how to avoid replay attacks, encryption strategies.
For both ‘you can’t get sued for it’ and ‘reasonably protected’ definitions of ‘safe’, for a mobile application, you can assume that the line is secure vs man-in-the-middle attacks and wide open to eavesdropping. SSL/TLS sounds the easiest way to go, but this might depend on your carrier and target phones.
If you can’t make TLS work and you need to roll your own, use Diffie-Hellman key exchange and established crypto library (Legion of the Bouncy Castle have a jightweight implementation that is J2ME compliant.)