They are right. you should not trust me nor the app. From beginning I know the issue, I'm sorry, but I'v neglected the security concern as I hasten to release the app.
(A poor execuse to prove my innocence. I open the source. Suspicious users should review the source and build a binary from reviwed source.)
Current version (0.4) of the app uses ClientLogin for Installed Applications for authentication. In the process, apps handles passwords immediatly.
By contrast with ClientLogin, apps which uses OAuth for Installed Application handles oauth tokens instead of precisous passwords.
It is obvious that I should choose OAuth. However I can't get it so far. At OAuth Playground, I tried to get oauth_token. The paramerters I specified are:
scope: https://wave.google.com/wave/And the response is:
consumer secret: anonymous
Invalid scope: https://wave.google.com/wave/
By choosing other scope, I can get a oauth_toke.... I missed something? or Google doesn' support wave as a oauth scope (yet)?