Hacker News new | past | comments | ask | show | jobs | submit login

The client isn't the problem, since you could push custom code to read the wifi key yourself. The problem is that the server will have everyone's Wifi keys.



The problem isn't in reading, but using the wifi key. The app promises to keep the wifi keys secret from other users:

> "... credentials are added to the database so that everyone else on the app can also use that hotspot. Users cannot actually view these credentials so as to protect user data."

But if a client app can download the wifi key from the server and use it to log in, then a modified client app could also download all wifi keys and show them to the user.

There is no practical way for the server to distinguish the original client app from a modified one as long as the user is in control of the hardware and OS it runs on.


Oh, I see what you mean now, I thought they meant secret on the server. Yeah, obviously they can be read if they go to the device, and verroq on the other thread looks like he found out how to decrypt the keys in the local cache.




Consider applying for YC's Spring batch! Applications are open till Feb 11.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: