Remix clone Hacker News

new | show | ask | jobs Github

	▲	dlcarrier 8 days ago
		`This is a huge problem for banking and music apps that absolutely rely on this capability` Yeah, I immediately cleared application data and uninstalled it, once I discovered my bank, of all organizations, was relying on Android to silo a token that grants access to my bank account with nothing else but a 4-digit PIN. I had submitted a vulnerability report, because the option to require a password could be turned off without a password, and their response was that it works as expected, because they only require a PIN and providing a password is optional. That isn't to say that I have the option to make my account require passwords, it's that providing a password isn't needed, but I have the option of providing one anyway. With only the PIN requirement, and four attempts before a lockout, a security vulnerability in the OS immediately becomes a 1 in 250 chance they'll have full access to may bank account, if I have a truly random PIN, or a 1 in 5 chance, if I have one of the four most common PINs and it always tries those. All that without having to wait to capture me logging in. Also, Google explicitly states that the phones storage should not be used for sensitive data.