2

I have submitted an app to Amazon for approval, they came back with this:

"This app appears to be sending unencrypted, sensitive information. In this instance, the E-MAIL and PASSWORD, is being sent in clear text. Please update the app to encrypt all sensitive information."

On the server side, I encrypt the password in my database using the sha1() PHP method (pretty standard). I am assuming they want the password/email String that Java passes to be encrypted while in transit to the web service. I assume? If this is the case, I need to decrypt the data (specifically the email because this needs to be stored in my DB in plain text.

Has anyone seen this Amazon inquiry before? And is my explanation of it correct? And if so, is there a way in Java to temporary encrypt data while in transit?

Here is a sample in how I do it:

insertParam = new ArrayList<NameValuePair>();
            insertParam.add(new BasicNameValuePair("Email", Email));
            insertParam.add(new BasicNameValuePair("Password", Password));
            insertParam.add(new BasicNameValuePair("Username", Username));

            try {
                HttpClient httpClient = new DefaultHttpClient();
                HttpPost httpPost = new HttpPost(url_select);

                httpPost.setEntity(new UrlEncodedFormEntity(insertParam));
                HttpResponse httpResponse = httpClient.execute(httpPost);
                HttpEntity httpEntity = httpResponse.getEntity();

                is = httpEntity.getContent();

            }

EDIT:

Looks like HTTPS is the way to go.

John Rotenstein
  • 241,921
  • 22
  • 380
  • 470
TheLettuceMaster
  • 15,594
  • 48
  • 153
  • 259
  • If all you are doing is hashing the password with SHA1, why not just hash it on androids side, then send it to PHP? – MrZander Jan 02 '13 at 18:44
  • 1
    SHA1 is just a hashing algorithm. http://stackoverflow.com/questions/4895523/java-string-to-sha1 As for the email, See Ashley Ross. – MrZander Jan 02 '13 at 18:51

1 Answers1

3

Amazon's requirement seems somewhat conservative, but could be best met by connecting to your web service via HTTPS instead of unencrypted HTTP. This is exactly what another StackOverflow user did in the end: Amazon AppStore Submission Failed: "Sensitive information like password is echoed in clear text without encryption"

While you could encrypt the data in your app, send it over the internet, and decrypt it on your server using a shared key, this is vulnerable to attackers that decompile your app to get the key.

Alternatively, you could generate a key pair, include the public key in the app and encrypt data with that, send it over the internet, and then use the private key on the server to decrypt the incoming data, but you're basically just re-implementing HTTPS manually.

At the end of the day, the "right" way to implement Amazon's requirement is to use HTTPS. Anything else is likely to be difficult to implement securely.

Community
  • 1
  • 1
Ashley Ross
  • 2,345
  • 2
  • 23
  • 43