I've submitted an application to the amazon app store, and it was rejected with the following details:

Sensitive information like password is echoed in clear text without encryption

Obviously, not a great thing ... however I've reviewed the application code. The user's password is stored in the private preferences as an MD5 hash (it goes straight from textbox to md5 hash to prefs, and is not logged or written anywhere as plaintext.

When we post requests to our web API (via http), we post a header with the username, and a hash of the following concatenated string (nonce + timestamp + passwordHash) (along with some other bits).

I assume it has to do with the data in the header, but as it's a hash of a hash that we're posting (which the server compares with its own digest of the password he knows), I'm not really sure why they'd have a problem with that.

Any thoughts or ideas on how one could troubleshoot this particular failure would be greatly appreciated :-)

Thanks!

Just to close the loop on this. I ended up emailing amazon, and they gave me more details ... turns out I was submitting the password in cleartext on the registration page. everything else was fine.

We ended up getting an ssl cert and using https to register the user and it was approved. hope that helps someone else out there :-)

Your hashing scheme is broken. By hashing the password and then using that hash like you do, you just redefined what the plaintext password is.

One consequence of this is that anybody who gets access to your database can login to any account, since you stored the plaintext of your derived password.

I'd either:

1) Store the hash(Using bcrypt or similar) on the server. Then send the plain text password to the server and rely on SSL for transport security.

2) Use SRP. But DON'T implement this yourself. It's notorious for being hard to implement correctly. It's very easy to make a mistake and ending up with an insecure login.

Both of them are more secure than your current system.