zencoder

My initial understanding was that brm was receiving packets that don't belong to him, but, following his last post, that does not seem to be the case.

My comment was based on the assumption that if the data belonged to someone else, they would have the key not brm. So his key would not open their packets.

He seems to be suggesting:

1. That the incoming packets contain information that should not be there.
2. That the application drops this information.
3. That "someone" is exploiting this information.
4. The data is less than 10 bytes (my credit card is 19 bytes?).

I am afraid it is not a scenario I can envisage that well. Like how would anyone know it was there to be exploited?

Also, having had many years' experience of full lifecycle applications development, I find the concept of a field with no purpose, suddenly finding itself in a transaction and automagically getting populated with someone else's data very, very hard to swallow.

Errr, unit testing, systems testing, user acceptance testing.................all done in "plain" and no-one spotted it? The encryption is just something added on to the back end.

My approach would be:

1. Capture some packets and look at the plaintext content (which I would expect to be the header). If there is nothing suspicious then:

2. Contact the developer and advise them of my concerns and the reason for it.

3. If they don't convince me, get another application, or look elsewhere for the cause of my suspicions.