Should I be concerned about providing my password to GPush?
When we created the app, we committed first and foremost to security. We are using multiple levels of encryption including SSL, obfuscation, and cipher-based encryption. SSL ensures that your credentials can be transported securely. Your login credentials are encrypted using an encryption scheme that has never been cryptographically broken, with a different 'secret key' for each user. To test these security measures, penetration tests were ran on the server with no information accessed.
- Obfuscation: This could mean anything, even that they named sensitive files as grandmasGroceryList.txt to throw off hackers.
- Encryption scheme never been broken: This, again, means nothing. It is some custom scheme that has never been analyzed? I don't want someone's ROT-13 encoder protecting my personal information.
- Different secret key for each user: How are these keys generated and stored? How is this key repository stored to prevent unauthorized access? Is it done in such a way that this is this better (security) than having a single key for each user? Probably not. More than likely, it is just another level of indirection.
- Penetration tests: Professional? Script kiddy? State-sponsored? Automated tools? What level of access was given, and what testing procedures were followed?