On 11/01/2013 10:01 PM, bitcoingr...@gmx.com wrote:

> Server provides a token for the client to sign.

Anyone else concerned about signing an arbitrary string?  Could be a
hash of $EVIL_DOCUMENT, no?  I'd want to XOR the string with my own
randomly generated nonce, sign that, then pass the nonce and the
signature back to the server for verification.

Johnathan Corgan, Corgan Labs
SDR Training and Development Services

<<attachment: johnathan.vcf>>

Attachment: signature.asc
Description: OpenPGP digital signature

Android is increasing in popularity, but the open development platform that
developers love is also attractive to malware creators. Download this white
paper to learn more about secure code signing practices that can help keep
Android apps secure.
Bitcoin-development mailing list

Reply via email to