亚马逊的AppStore提交失败:"如密码敏感信息不加密&QUOT明文是呼应; [英] Amazon AppStore Submission Failed: "Sensitive information like password is echoed in clear text without encryption"
问题描述
我已经提交申请,亚马逊的应用程序商店,它被拒绝与以下细节:
I've submitted an application to the amazon app store, and it was rejected with the following details:
如密码敏感信息回荡在明文不
加密
Sensitive information like password is echoed in clear text without encryption
显然不是一件很棒的事情......但我已经审查了该申请code。用户的密码存储在私有preferences作为一个MD5哈希(它直接从文本框MD5哈希以preFS和没有登录或任何书面明文。
Obviously, not a great thing ... however I've reviewed the application code. The user's password is stored in the private preferences as an MD5 hash (it goes straight from textbox to md5 hash to prefs, and is not logged or written anywhere as plaintext.
当我们请求发送给我们的网络API(通过HTTP),我们发布与用户名的标题,下面的连接字符串的哈希值(随机数+时间戳+ passwordHash)(与其他一些位一起)。
When we post requests to our web API (via http), we post a header with the username, and a hash of the following concatenated string (nonce + timestamp + passwordHash) (along with some other bits).
我认为它与标头中的数据做的,但因为它是我们要发布的哈希值(该服务器有自己的,他知道密码的摘要进行比较)的哈希值,我不是真的知道为什么他们会有问题的。
I assume it has to do with the data in the header, but as it's a hash of a hash that we're posting (which the server compares with its own digest of the password he knows), I'm not really sure why they'd have a problem with that.
在一个如何解决这个特定的失败将大大AP preciated任何想法或意见: - )
Any thoughts or ideas on how one could troubleshoot this particular failure would be greatly appreciated :-)
谢谢!
推荐答案
刚刚结束对这个循环。我结束了亚马逊的电子邮件,他们给了我更多的细节......原来我在提交明文密码的注册页面。一切都很好。
Just to close the loop on this. I ended up emailing amazon, and they gave me more details ... turns out I was submitting the password in cleartext on the registration page. everything else was fine.
我们最终得到一个SSL证书,并使用https注册用户,并获得批准。希望帮助别人那里: - )
We ended up getting an ssl cert and using https to register the user and it was approved. hope that helps someone else out there :-)
这篇关于亚马逊的AppStore提交失败:"如密码敏感信息不加密&QUOT明文是呼应;的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
