That's right. It's unfortunately a trade-off between convenience and security.
Somewhere on your device, there's also your Gmail password or some sort of ling-living token that can be used to authenticate against Google services. Is it worth the risk of having others read your Gmail messages and chat with your friends (and do other things with your Google account), but in turn not having to frequently enter your Google password? That's something everybody should ask himself when storing passwords, even more so with mobile devices. (I for one think it's worth it, otherwise I'd not use my G1.) The only way to provide real security (or shall I say "better security") would be in hardware, i.e. having some sort of TC chip that would provide encryption/decryption to properly signed code only. And even though there are "bad" uses of TC, I surely think techniques like this should be used to provide better security to users. Christoph On Sat, Feb 7, 2009 at 7:18 PM, JP <joachim.pfeif...@gmail.com> wrote: > > > > On Feb 7, 9:43 am, Christoph Studer <chstu...@gmail.com> wrote: >> (Note that rooted devices do not provide this security, because any >> application can possibly become root and do whatever it wants on the >> phone, AFAIK. But that's the user's risk when rooting a device.) > > Suppose user loses phone. Finder then roots it and uses adb to pull > the database and preferences files -> Damage done. I consider it good > practice to assume *anything* that's stored on the device is "up for > grabs". > > Even with encryption things may be dicey. Finder may have success > retrieving the original password through a reverse lookup. Just by > what Google does (crawling the web), they've indexed a sizeable number > of MD5 passwords for a reverse lookup. > > > > --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Android Developers" group. To post to this group, send email to android-developers@googlegroups.com To unsubscribe from this group, send email to android-developers-unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/android-developers?hl=en -~----------~----~----~----~------~----~------~--~---
