On Tue, 5 Jul 2011 11:47:27 -0400 Disconnect wrote: > As others have said, the best practice is "don't". > > If you absolutely must store it, you are probably doing it wrong. But if you > insist on doing it wrong, look into PCI compliance ( > https://www.pcisecuritystandards.org/)
That requires paying for audits and usually a secure server where the data would be stored, though ironically PCI compliance can actually reduce your server security for some things like OpenBSD passwords. Do you realise that to support cram-md5 (almost all mail servers do, not mine, nokia mail clients require it though, grrr!!) the server has to access the password in plain text unlike plain text over ssl where the server can have no way of knowing your password without being given your password. Like your method which isn't just testing the valid password the key to decrypt this info has to be on the device. A programmable Android with a gui will never be secure enough for this especially during it's immaturity. At the very least you'd need great big flashing disclaimers making your customers run a mile. -- You received this message because you are subscribed to the Google Groups "Android Security Discussions" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/android-security-discuss?hl=en.
