Encrypting parameters POST request with LoopJ

Question

I submitted an App to the Amazon App store, but it was rejected because of this issue:

This app appears to be sending unencrypted, sensitive information. In this instance, the E-MAIL and PASSWORD is being sent in clear text. Please update the app to encrypt all sensitive information.

I'm using LoopJ for my http requests and I'm not sure why my data is not being encrypted, or how to encrypt it. Here's my code.

public class MYAuthClient {
  private static final String BASE_URL = "http://www.mywebservice.net/";

  private static AsyncHttpClient client = new AsyncHttpClient();

  public static void post(String url, RequestParams params, AsyncHttpResponseHandler responseHandler) {
      client.post(getAbsoluteUrl(url), params, responseHandler);
  }

  private static String getAbsoluteUrl(String relativeUrl) {
      return BASE_URL + relativeUrl;
  }
}

To make requests. I do this.

RequestParams params = new RequestParams();
    params.put("email", login_email);
    params.put("password", login_pass);
    MYAuthClient.post("api/v1/tokens.json", params, new AsyncHttpResponseHandler() {
         @Override
         public void onStart() {
             // Initiated the request
         }

         @Override
         public void onSuccess(String response) {
            // Successfully got a response

         }

         @Override
         public void onFailure(Throwable e, String response) {
             // Response failed :(
             Toast.makeText(getApplicationContext(), "Failed to connect to server", Toast.LENGTH_LONG).show();
         }

     });

Any help or a link to an example of using encryption along with LoopJ? Thanks!

so where exactly do you think you're encrypting them? you're just putting them as parameters to a request, unless you encrypt them beforehand in your code they won't be encrypted; your code doesn't show encryption efforts. Consider hashing instead of encrypting. — Sten Petrov, Jan 09 '13 at 16:23
That's what i'm asking. I'm not sure how to encrypt it. If someone could post an example that'd be helpful. — android_student, Jan 09 '13 at 16:33
here's an example how to hash the password: http://stackoverflow.com/questions/5980658/how-to-sha1-hash-a-string-in-android — Sten Petrov, Jan 09 '13 at 16:36
The email you'll probably have to obfuscate rather than encrypt since the key would be either predetermined or included with the data you post — Sten Petrov, Jan 09 '13 at 16:38
It looks like Amazon are looking for that call to made over HTTPS and not HTTP like you are using. — jim, Jan 09 '13 at 16:47
try what @conor is suggesting, if it silences amazon's verification you're good. I'd still advise against storing passwords plain, encrypted or hashed without salt. Always salt and hash a password. To authenticate you can compare hashes instead of plaintexts — Sten Petrov, Jan 09 '13 at 16:52
okay thanks! That seems like an easy solution. Thanks for the help. — android_student, Jan 09 '13 at 16:59

jim · Accepted Answer · 2013-01-10T11:24:02.430

2

The best solution here is to provide a https endpoint for your webservice.

Then in your Android, change to endpoint to https like so:

http://www.mywebservice.net/

becomes

https://www.mywebservice.net/

You need to check that the server hosting the webservice is set up to server https. The solution to that problem is beyond the scope of this question.

edited Jan 10 '13 at 11:24

answered Jan 09 '13 at 16:46

jim

8,670
15
78
149

Thanks! I guess I missed that. I'm 99% sure this should solve the issue with Amazon. – android_student Jan 09 '13 at 17:00

Encrypting parameters POST request with LoopJ

1 Answers1