Closed GoogleCodeExporter closed 9 years ago
The permission issue will be fixed in the next version.
However, we will continue to store sensitive information in the plain text
(serialized in the preference file). Because this app is actually designed for
users in China to tunnel through GFW with a limited user account on the remote
servers outside China (typically without permission to execute commands). In
the future versions, maybe we will try to warn users about this security issue.
As a best practice, we suggest users only install apps from Android Market.
Original comment by max.c...@gmail.com
on 7 Oct 2011 at 2:52
Nice job on the quick response.
WRT passwords in the clear: I understand the idea that some users will create
tunnels using unprivileged accounts, but it's your job as the developer to
secure that information either way. Usernames and passwords are sensitive
information whether or not those accounts are root or unprivileged.
It's very easy to encrypt any of that text information inside of the profile.
Here's an example of implementing Android's AES libraries to encrypt and
decrypt a string on the fly.
http://www.androidsnippets.com/encryptdecrypt-strings
Original comment by mark.man...@gmail.com
on 7 Oct 2011 at 2:26
SSHTunnel is an open source software. If we encrypt information using a AES
password, we have to write this password in our codes. And, with this password,
anyone can decrypt profile info easily.
Original comment by max.c...@gmail.com
on 7 Oct 2011 at 2:41
You would not use static keys to implement AES. But I digress.
I don't agree with the fact that everyone should be using an unprivileged
shell, but where and how to store information is debatable so it seems this is
basically the discussion it's turned into.
http://stackoverflow.com/questions/785973/what-is-the-most-appropriate-way-to-st
ore-user-settings-in-android-application
Fix the permissions first and then it's up to you how you store the other
information.
Original comment by antitree
on 7 Oct 2011 at 6:46
could the file encrypted by master password (on every login) like vpn ?
Original comment by kdman...@gmail.com
on 28 Nov 2011 at 3:02
Original comment by max.c...@gmail.com
on 18 Jan 2012 at 6:20
Original issue reported on code.google.com by
antitree
on 6 Oct 2011 at 4:19