> My $.02 is to pick an established protocol, not just an algorithm. In > some cases, it is possible to use an algorithm in such a way that you > end up having less security that you think you're getting.
The same is true of established protocols --- perhaps even moreso. HTTPS is the glaring example, especially since the original poster mentioned web services. Ping, you may be able to get what you need with SOAP or REST over a very carefully authenticated HTTPS connection. By "very carefully authenticated", I mean "require a specific certificate on the server side, or at least require a specific certificate signer." I also STRONGLY recommend that you do NOT put the password in the URL query string (i.e. in a GET request). Put it in the POST body. No secrets should appear in URLs. -- You received this message because you are subscribed to the Google Groups "Android Security Discussions" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/android-security-discuss?hl=en.
