Amazon AppStore 提交失败:“密码等敏感信息以未加密的明文形式回显"; [英] Amazon AppStore Submission Failed: "Sensitive information like password is echoed in clear text without encryption"
问题描述
我已向亚马逊应用商店提交了申请,但被拒绝并提供以下详细信息:
I've submitted an application to the amazon app store, and it was rejected with the following details:
密码等敏感信息以明文形式回显加密
Sensitive information like password is echoed in clear text without encryption
显然,这不是什么好事……但是我已经查看了应用程序代码.用户的密码作为 MD5 哈希存储在私人首选项中(它直接从文本框到 md5 哈希再到首选项,并且不会以明文形式记录或写入任何地方.
Obviously, not a great thing ... however I've reviewed the application code. The user's password is stored in the private preferences as an MD5 hash (it goes straight from textbox to md5 hash to prefs, and is not logged or written anywhere as plaintext.
当我们向 Web API 发布请求(通过 http)时,我们发布一个包含用户名的标头,以及以下串联字符串的哈希值(随机数 + 时间戳 + 密码哈希)(以及其他一些位).
When we post requests to our web API (via http), we post a header with the username, and a hash of the following concatenated string (nonce + timestamp + passwordHash) (along with some other bits).
我认为它与标头中的数据有关,但由于它是我们发布的散列的散列(服务器将其与他知道的自己的密码摘要进行比较),我不是真的确定他们为什么会遇到问题.
I assume it has to do with the data in the header, but as it's a hash of a hash that we're posting (which the server compares with its own digest of the password he knows), I'm not really sure why they'd have a problem with that.
关于如何解决这一特定故障的任何想法或想法将不胜感激:-)
Any thoughts or ideas on how one could troubleshoot this particular failure would be greatly appreciated :-)
谢谢!
推荐答案
只是为了结束这个循环.我最后给亚马逊发了电子邮件,他们给了我更多的细节……结果我在注册页面上以明文形式提交了密码.其他一切都很好.
Just to close the loop on this. I ended up emailing amazon, and they gave me more details ... turns out I was submitting the password in cleartext on the registration page. everything else was fine.
我们最终获得了 ssl 证书并使用 https 注册用户并获得批准.希望能帮助其他人:-)
We ended up getting an ssl cert and using https to register the user and it was approved. hope that helps someone else out there :-)
这篇关于Amazon AppStore 提交失败:“密码等敏感信息以未加密的明文形式回显";的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
