ArcGIS Online Security - Unencrypted Credentials

Discussion created by jvseagle-co-nz-esridist Employee on Feb 24, 2013
Latest reply on Jun 28, 2013 by GISDev01

I have noticed that when using AGOL or any other client (e.g. builder for flex, ArcGIS app for Android, etc) the credentials sent to the generateToken REST service are sent without any encryption. While the service is secured through SSL through the wire this is not safe.

Any tool, e.g. Fiddler can trace the credentials being sent ...

Can't you create a facade where you send the encrypted credentials to and then decrypt server-side and send it to the generateToken endpoint instead of calling it directly?

ArcGIS for Server 10.1 does not have this issue and hides very well the credentials.