I just downloaded the iOS app and it sent my password in clear text in the get request like described above.
Not OK.
Version 1.2 downloaded from the app store June 12, 2013
I just had a user request that I enable mobile services so they could use the Mobile app. The latest iOS version, 1.2, is still sending passwords in plain text. Will this be fixed any time soon?
Hi,
sorry for the big delay in publishing the version that solve the problem for iOs, there are some problems related to publish the app in iTunnes (btw the Android version that solves the problem is published since May)
Do you know when this will be resolved for iOS? We'd really like to promote Moodle Mobile on our campus but need the clear text password issue resolved for iOS before promoting it.
Thanks! Jay
Hi, we just solved our problems for publishing new versions of the app in the Apple app store and also we just submitted a new version of the app that solves this security problem.
We are now waiting for Apple approval of the new app, I will make a public announcement once approved
The app has been just published in the App store (version 1.2.2)
I just made some tests and I can confirm that the password is not send in the URL anymore (it uses POST instead GET)
x.x.x.x - - [13/Sep/2013:12:42:51 +0200] "POST /moodle/login/token.php HTTP/1.1" 200 464 "-" "Mozilla/5.0 (iPhone; CPU iPhone OS 6_1_2 like Mac OS X) AppleWebKit/536.26 (KHTML, like Gecko) Mobile/10B146 (534256528)"
x.x.x.x - - [13/Sep/2013:12:42:52 +0200] "POST /moodle/webservice/rest/server.php?moodlewsrestformat=json HTTP/1.1" 200 1487 "-" "Mozilla/5.0 (iPhone; CPU iPhone OS 6_1_2 like Mac OS X) AppleWebKit/536.26 (KHTML, like Gecko) Mobile/10B146 (534256528)"
x.x.x.x - - [13/Sep/2013:12:42:53 +0200] "POST /moodle/webservice/rest/server.php?moodlewsrestformat=json HTTP/1.1" 200 953 "-" "Mozilla/5.0 (iPhone; CPU iPhone OS 6_1_2 like Mac OS X) AppleWebKit/536.26 (KHTML, like Gecko) Mobile/10B146 (534256528)"
x.x.x.x- - [13/Sep/2013:12:42:54 +0200] "GET /moodle/pluginfile.php/243/user/icon/f1 HTTP/1.1" 200 14635 "-" "Mozilla/5.0 (iPhone; CPU iPhone OS 6_1_2 like Mac OS X) AppleWebKit/536.26 (KHTML, like Gecko) Mobile/10B146 (534256528)"
x.x.x.x - - [13/Sep/2013:12:43:04 +0200] "POST /moodle/webservice/rest/server.php?moodlewsrestformat=json HTTP/1.1" 200 10109 "-" "Mozilla/5.0 (iPhone; CPU iPhone OS 6_1_2 like Mac OS X) AppleWebKit/536.26 (KHTML, like Gecko) Mobile/10B146 (534256528)"