1. yeewiz's Avatar
    I want to get a password storage app to hold my passwords and credit car numbers but I keep having visions of the author writing a Trojan Horse app that calls "home" whenever I start the app and offloads all my bank information. Isn't this doable, or am I just paranoid?
    04-24-2012 09:56 PM
  2. safesax2002's Avatar
    I use lastpass.com. There is a WP7 app but it requires the paid version, which is $12 a year.
    04-24-2012 10:30 PM
  3. sinlessearth's Avatar
    I don't think that you are paranoid. I know I would not store things like that on any app. Large companies like sony can't even keep things like that safe whats to say little guy in his house writing some app will. Not for me, not at all.
    blnwp and yeewiz like this.
    04-25-2012 08:21 AM
  4. AzD's Avatar
    If you have to ask, you probably are...
    04-25-2012 08:52 AM
  5. jimski's Avatar
    Tell you what. You go have a private email conversation with Nico, the developer behind SkyWallet. He is very open to your opinion and comments, and will reply. I put all my trust in him. Could he, maybe. Would he, not a chance.

    Sent from my Lumia 900 using Board Express
    yeewiz likes this.
    04-25-2012 09:02 AM
  6. Frenzytom's Avatar
    i use lastpass.com. There is a wp7 app but it requires the paid version, which is $12 a year.
    +1
    04-25-2012 09:57 AM
  7. thed's Avatar
    You can always turn on wifi and fire up Wireshark on a laptop to see what kind of data your phone is sending. Though I guess a particularly devious dev could check to see if wifi is on and only phone home if wifi is off.

    You could also look for an app that doesn't use data services, but such an app wouldn't have any sort of online backup capabilities.

    Maybe WP8 will give us the capability to create a packet inspection tool, which can put issues like this to rest once and for all. But I wouldn't count on that.
    yeewiz likes this.
    04-25-2012 10:10 AM
  8. yeewiz's Avatar
    I don't think that you are paranoid. I know I would not store things like that on any app.
    Thanks Sinless, nice to know someone else is on the same page with me on this.

    Jimski, Nico probably is trustworthy, maybe. But how do we vett all the other authors who write sensitive information apps. And how reliable is an Internet interview?

    Thed, good thought on the data services aspect. Also agree, packet inspection most likely isn't even close to being on the wish list

    AzD, ok, I am. But healthily so

    LastPass guys, cloud-based storage of my sensitive info? I think I'll definitely pass on this one
    04-25-2012 03:27 PM
  9. Frenzytom's Avatar
    LastPass guys, cloud-based storage of my sensitive info? I think I'll definitely pass on this one
    Strictly for the non-paranoid users. :)
    04-25-2012 03:36 PM
  10. jleebiker's Avatar
    I have the same concerns. One of the reasons why I don't use one that has support for cloud based backup storage. Just too many things could go wrong. Any one try one of the ones that support AES encryption of the local store? Wouldn't that be a better was to secure the info even if it were farmed by someone?
    04-25-2012 09:31 PM
  11. yeewiz's Avatar
    Any one try one of the ones that support AES encryption of the local store? Wouldn't that be a better was to secure the info even if it were farmed by someone?
    That's another point I didn't expand on above. If I were paranoid :) , I would ask, how do you know the author actually used AES encryption. Would you know how to test for AES? An evil author could use any scheme and maybe have his own key and farm your data during the call home.
    04-25-2012 11:56 PM
  12. rbrunner's Avatar
    I see basically two options for yeewiz:

    1) He trusts some carefully selected external party or several external parties (app author, server operator) and uses their apps and/or web services.

    2) He writes his app himself.

    What I do not see is any third option where somehow he could, with absolute certainty, decide who he can trust and who not. That problem of trust is a problem that has no solution, and I personally have learned in my live to move on as soon as I discover that a particular problem has no solution.

    By the way, option 2) isn't nearly as daunting as it may seem first. Developing for WP7 is easy, at least compared to other smartphone platforms, and there are tons of code samples on the Internet. So, for somebody who really values security, it might be ok to learn programming and build his own apps - just to be sure.

    Update: Thinking about it some more, I think I found an option 2b): yeewiz learns just enough about WP7 programming to be able to read and understand C# code, and then finds somebody that writes the app for him and delivers it in source code so that he can check the source code himself before compiling it into an app.
    yeewiz likes this.
    04-26-2012 01:30 AM
  13. yeewiz's Avatar
    2) He writes his app himself.
    rbrunner, thanks! Bingo, that's the answer. I don't use VS but am an old programmer and was looking for an app project in WP. Perfect!
    04-26-2012 09:38 PM
LINK TO POST COPIED TO CLIPBOARD