Yes i started using Pebble last month. I like it. I had to charge once per week, charges within an hour and its not a smartphone juice drainer (i use BlackBerry Z10). Though number of applications and support is good in Android/iOS for obvious reasons.
The format is intentionally being built in a way that you can look at the source, in the same way you would look at minified Javascript currently.
If you're worried about obscurity, look at what is generated by asm.js. WebAssembly won't be any worse than that (and is, in fact, more or less a more efficient/correct equivalent to asm.js).
The problem with hashes of hashes is now instead of the password being directly grabbed, the hash is directly grabbed, which can be thrown through the challenge-response system with no problem.
This only mitigates knowing the password itself, not anything to do with authentication.
> The problem with hashes of hashes is now instead of the password being directly grabbed, the hash is directly grabbed, which can be thrown through the challenge-response system with no problem.
But now you have to grab the hash first from one of the endpoints, MITMing the connection no longer suffices to impersonate the user.
I suppose public key schemes would be preferable, but deploying those isn't feasible for a lot of use cases.
On the other hand, there's nothing that's made _worse_ by choosing to do it that way. Plenty of things that are the same, some things better, but nothing worse.
