-Yes the coin is centralized, but there is a blockchain and there is proof of how many coins someone has. We have security in place, and everyday we are thinking of ways of improving it. I don't like doing bad things, I would rather be honest.
-We thought up a way of authenticating API request and it will be implemented in the next update so to mitigate the risk of bots.
-Yes the app gets some info about the device, but not much.
-Yes, we changed some things from v0.5.0b to v0.5.1. The password is hashed server side, and the password is sent via a secure connection (HTTPS).
-This was not introduced to ease the server load, but to improve security. We now use an even better salting method.
- If I may ask, how is proof implemented?
- Just updated and saw that. This authentication still can be implemented in a bot.
- I'm not concerned about manufacturer and device name, it can be even used as useful statistics, but please hash the IMEI in the next update. You have no need to store the IMEI number of all registered devices.
- This will only get effective if you migrate to trusted certificate. Also, this doesn't guarantee you don't store passwords in plaintext anymore.
- Same as above. Because of the centralized nature, users can't know for sure it isn't that way.
id like to point out "Since v0.5.1 update, passwords are sent directly to the server without hashing. This causes a security risk as devs can now save passwords in plaintext"
before v0.5.1 passwords were sent to the server hashed with a salt easily obtained via an unauthenticated request to the api which one could easily do from the browser
arbitrary account creation + sync of coins was possible, probably still is
quite a few other issues still exist such as the possibility to log out active users with nothing but a single http request
What would anyone do with the salt? You'd still need the password to successfully create the matching hash. Now this isn't needed anymore. Your password is sent plaintext to the server. Yeah, it's HTTPS, but self-signed as of now so it really is plaintext as a matter of fact.
Regarding "one could easily do from the browser" and "nothing but a single http request": I personally don't feel it simple doing a POST request from a browser.
I don't know if it would be better to open-source the whole project, release the blockchain and stuff, because it's also a point that scamcoin makers would saturate the market with this kinda coins. The problem is, we are talking about stuff worth money after all and trust isn't something anyone can build anything upon in this field. If there are flaws in the system, people will go and abuse them.
salted password hashing is useless if the user is able to disclose either the salt or the password, they then have half of what is needed to gain the other half
Just updated and saw that. This authentication still can be implemented in a bot.
it still can be easily implemented in a bot, it would be a challenge to implement something like this fully capable of hindering bot creation
as for the plaintext passwords, you do realize your password when logging into this very site you used to raise this issue to the developers is transmitted in the very same way right
- I'm not concerned about manufacturer and device name, it can be even used as useful statistics, but please hash the IMEI in the next update. You have no need to store the IMEI number of all registered devices.
you do realize that there is nothing plausible one can do with just an imei number right, even if they were to attempt contacting your service provider they would still need your personal information along with your imei to actually be able to do anything.
