I want to get a password storage app to hold my passwords and credit car numbers but I keep having visions of the author writing a Trojan Horse app that calls "home" whenever I start the app and offloads all my bank information. Isn't this doable, or am I just paranoid?
I don't think that you are paranoid. I know I would not store things like that on any app. Large companies like sony can't even keep things like that safe whats to say little guy in his house writing some app will. Not for me, not at all.
Tell you what. You go have a private email conversation with Nico, the developer behind SkyWallet. He is very open to your opinion and comments, and will reply. I put all my trust in him. Could he, maybe. Would he, not a chance.
You can always turn on wifi and fire up Wireshark on a laptop to see what kind of data your phone is sending. Though I guess a particularly devious dev could check to see if wifi is on and only phone home if wifi is off.
You could also look for an app that doesn't use data services, but such an app wouldn't have any sort of online backup capabilities.
Maybe WP8 will give us the capability to create a packet inspection tool, which can put issues like this to rest once and for all. But I wouldn't count on that.
I don't think that you are paranoid. I know I would not store things like that on any app.
Thanks Sinless, nice to know someone else is on the same page with me on this.
Jimski, Nico probably is trustworthy, maybe. But how do we vett all the other authors who write sensitive information apps. And how reliable is an Internet interview?
Thed, good thought on the data services aspect. Also agree, packet inspection most likely isn't even close to being on the wish list
AzD, ok, I am. But healthily so
LastPass guys, cloud-based storage of my sensitive info? I think I'll definitely pass on this one
I have the same concerns. One of the reasons why I don't use one that has support for cloud based backup storage. Just too many things could go wrong. Any one try one of the ones that support AES encryption of the local store? Wouldn't that be a better was to secure the info even if it were farmed by someone?
Any one try one of the ones that support AES encryption of the local store? Wouldn't that be a better was to secure the info even if it were farmed by someone?
That's another point I didn't expand on above. If I were paranoid :) , I would ask, how do you know the author actually used AES encryption. Would you know how to test for AES? An evil author could use any scheme and maybe have his own key and farm your data during the call home.
1) He trusts some carefully selected external party or several external parties (app author, server operator) and uses their apps and/or web services.
2) He writes his app himself.
What I do not see is any third option where somehow he could, with absolute certainty, decide who he can trust and who not. That problem of trust is a problem that has no solution, and I personally have learned in my live to move on as soon as I discover that a particular problem has no solution.
By the way, option 2) isn't nearly as daunting as it may seem first. Developing for WP7 is easy, at least compared to other smartphone platforms, and there are tons of code samples on the Internet. So, for somebody who really values security, it might be ok to learn programming and build his own apps - just to be sure.
Update: Thinking about it some more, I think I found an option 2b): yeewiz learns just enough about WP7 programming to be able to read and understand C# code, and then finds somebody that writes the app for him and delivers it in source code so that he can check the source code himself before compiling it into an app.
