I checked it out ...it still looks like credentials are on the wire in clear text...can't this be traced quite easily with some network monitoring tools ? Perhaps using https would be more appropriate or at least a baseline approach?
Or am I not understanding this correctly? On Wednesday, December 17, 2014 8:34:34 PM UTC+1, J. Chris Anderson wrote: > > > > On Wednesday, December 17, 2014 8:59:24 AM UTC-8, Jens Alfke wrote: >> >> >> On Dec 17, 2014, at 4:31 AM, Andrew <[email protected] <javascript:>> >> wrote: >> >> So can anyone connect to this port on Android if they know your IP ?? >> That creates a bit of a security issue if you ask me... >> >> >> Traun or JChris can give a definitive answer since one of them wrote the >> code. My understanding is that the listener socket is bound only to the >> loopback interface (127.0.0.1) so it's not reachable from another host. It >> might still be reachable from another process running on the same device, >> though, if it decided to run a port-scan on localhost (but again, don't >> take my word for that.) >> > > Additionally on Android there is a random basic-auth token that must be > passed with REST requests, to keep other apps from snooping on localhost. > See allowedCredentials here. > <https://github.com/couchbaselabs/Couchbase-Lite-PhoneGap-Plugin/blob/master/src/android/CBLite.java#L82> > > Chris > > >> >> —Jens >> > -- You received this message because you are subscribed to the Google Groups "Couchbase Mobile" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/mobile-couchbase/2ca16d57-0602-48e1-a074-14668cdda2a0%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
