17 comments

[ 2907 ms ] story [ 737 ms ] thread
Can anyone get to the article?
worked for me. tldr: Facebook apps were leaking the access token via the android log cat which is accessible from any app installed on your device.
AFAIK this has been a problem for well over 2 years now.
AFAIK since Android 4.1 the READ_LOGS permission (needed for an app to be able to access logcat output) can no longer be granted to a 3rd party application... of course, there are going to be lots of devices out there running Android < 4.1.
We condemn anyone that stores passwords as plaintext. Time to treat access tokens as nothing less than a password.
How would you store access tokens on a device, using two-way encryption or do you have something else in mind?
Two way encryption, yep.
but then for any reasonable application to be able to use them they'll need to store the unencryption key anyway..
Obviously you wouldn't store the encryption key in plaintext...
It's encrypted keys all the way down.
That's easy! We could use two-way encryption to encrypt the encryption key.
What's wrong with 'correct horse battery staple'?