Ah. Well, I'm going to assume you understand your customers (but suggest you always question whether you do! :=)
Indeed, one should always keep one's security practices in conformity with the nature of what you are protecting. But I would certainly consider salary information to be sensitive enough to justify encryption. But you're not giving us a lot of detail, so I guess I can't say much more. (I am not faulting you for that). Good luck. On Sunday, May 29, 2011 9:21:39 PM UTC-7, Zsolt Vasvari wrote: > > I have zero problems with using a servers, but my customers do. My > app doesn't require an Internet permission and I intend it to keep it > that way. > > By "sensitive" I dont' really mean to the point where if I steal a > user's phone, I can drain his bank account empty. The worse that will > happen is they find out how much I make. It's nothing a Chinese > person wouldn't flat out ask you and would expect an honest answer :) > > > > On May 30, 12:14 pm, Nikolay Elenkov <nikolay...@gmail.com> > wrote: > > On Mon, May 30, 2011 at 12:51 PM, Bob Kerns <r....@acm.org> wrote: > > > Don't worry about the terminology -- "ad hoc wifi network" is what > you're > > > looking for. I just wanted to figure out what you intended to say. > > > > > Hmm, "peer-to-peer" and "sensitive financial data" has me a bit > concerned. > > > I don't advocate sending sensitive data, via servers or not, > unencrypted. I > > > hope you're using some sort of public key encryption, with a secure key > > > > exchange, such as Diffie-Hellman. If all I have to do is eavesdrop on > your > > > NFC communications.... (The role of the public key encryption part is > to > > > give you a way to strongly identify the recipient you're exchanging the > > > > encryption keys with). > > > > It might actually be easier and more secure to exchange just URLs, and > > have the app get the data via https *and* authenticate to the server, > rather > > than trying to implement a secure protocol on top of NFC. That way the > app > > can be sure it's talking to the right server (server certificate) and > > the server > > can be sure it's giving the data to the right person (Google account, > etc. > > authentication). -- You received this message because you are subscribed to the Google Groups "Android Developers" group. To post to this group, send email to android-developers@googlegroups.com To unsubscribe from this group, send email to android-developers+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/android-developers?hl=en
