just installed the Android version of the new Moodle Mobile app, and logged in fine to my test server. However, on the initial request to acquire the token, the mobile app sent username and password in the URL (as GET params), and thus the username and password are saved into Apache's access log:
"GET /2.4/login/token.php?username=moodle_tester&password=mySillyPassword123&service=moodle_mobile_app HTTP/1.1" 200 44 "-" "Mozilla/5.0 (Linux; U; Android 4.2.2; en-us; SGH-I777 Build/JDQ39) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30"
"POST /2.4/webservice/rest/server.php?wstoken=632a0cb3d4a44660cf9c28f25aecd2d2&moodlewsrestformat=json HTTP/1.1" 200 1105 "-" "Mozilla/5.0 (Linux; U; Android 4.2.2; en-us; SGH-I777 Build/JDQ39) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30"
This is a big no-no regardless of what ever the situation is (we are using centralized SSO so this is even more critical). Can anybody weigh in on this one? Maybe we should submit the username and password through POST instead (just like subsequent calls to server.php)?