I've submitted an application to the amazon app store, and it was rejected with the following details:
Sensitive information like password is echoed in clear text without encryption
Obviously, not a great thing ... however I've reviewed the application code. The user's password is stored in the private preferences as an MD5 hash (it goes straight from textbox to md5 hash to prefs, and is not logged or written anywhere as plaintext.
When we post requests to our web API (via http), we post a header with the username, and a hash of the following concatenated string (nonce + timestamp + passwordHash) (along with some other bits).
I assume it has to do with the data in the header, but as it's a hash of a hash that we're posting (which the server compares with its own digest of the password he knows), I'm not really sure why they'd have a problem with that.
How can I troubleshoot this failure?
Just to close the loop on this. I ended up emailing amazon, and they gave me more details ... turns out I was submitting the password in cleartext on the registration page. everything else was fine.
We ended up getting an ssl cert and using https to register the user and it was approved. hope that helps someone else out there :-)