When I connect my core to WiFi, are my SSID and WPA2 password sent anywhere outside the core itself (e.g., to the Spark cloud)? I would hope not, but I don’t think it hurts to ask.
When you send your SSID and password from the iOS or Android app to the core, they are sent over the air on your local network encrypted, but with a common key for every core, so that is not super secure but will keep prying eyes out. This only happens when you are setting up the core.
When you give the core an SSID and password over USB, the credential data goes only over USB.
All of the credentials you give to your core are currently stored in the TI CC3000 in a write-only memory so the TI WiFi chip can use them, but they cannot (easily) be read out by software.
Sometime this not what you want and so there is a feature request right now to also store the credentials in flash on the core, similar to how programs are stored. This would make factory resets more convenient since the core could try the last credentials and skip that step.
In any event, no credentials are sent over the cloud connection at any time.
It took me a minute to find this write-up of the TI CC3000 smart config process used by the iOS and Android app, in case you are interested:
Has there been any progress with this feature?
WiFi.setCredentials() have already arrived, something like
String WiFi.getMySSIDs() would fit well into the crowd
Returning the SSIDs with authentication scheme indicator - but obviously without password - would be a nice feature.