On Tue, Mar 27, 2012 at 3:13 PM, Subbu Srinivasan <ssriniva...@gmail.com> wrote: > We started off with client-server, moved to web/browser centric and now we > are again back to thick client apps on mobile devices. > > Have people thought about ways to notify a user whether this is a safe app > that user can enter credentials on ? Notifying a user about "safe-ness" is rather subjective. I'm not sure how you would do it in practice. Would safe-ness be judged by Marketplace stars?
Entering and saving credentials really depends on your threat model. For example, your bank is willing to give away the checking and provide mobile banking apps because they will make the money on you through lesser-advertised fees (such as a $50 bounced check). They also know there will be some abuse of the PIN code and accounts, but they swallow it for the bigger pay-out. On a thick client, the client is proably maintaining state so the bad guy controls the state. Your company must accept the fact that a bad guy will present erroneous input in an effort to cheat the system. My employer allows me to use a non-jailbroken device on the corporate network via wifi. I have very little trust in 802.11, the operating system, and their underlying security, so I won't enter my domain credentials (even if "don't save" is checked). Jeff -- You received this message because you are subscribed to the Google Groups "Android Security Discussions" group. To post to this group, send email to android-security-discuss@googlegroups.com. To unsubscribe from this group, send email to android-security-discuss+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/android-security-discuss?hl=en.
