On 25/02/2014 13:14, Alexander Farber wrote:
If you keep it there, your app needs to download it - then the attacker can do it as well.
No, it doesn't need to.
You can send the user details to the server, and it would do the encryption and proxy it on to the service, returning the results. The encryption key for that stays secure on the server.
Tom
