flex-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Alexander Farber <alexander.far...@gmail.com>
Subject Re: Air apps easily decompiled and hacked
Date Tue, 25 Feb 2014 13:44:48 GMT
I have implemented and deployed an iOS/Android/BB app with OAuth
authentication against Facebook (yes, I could better use ANE there) and
(Russian social networks) Vk.com, Mail.ru, Odnoklassniki (main target of my
app and there are no SDKs or ANEs) -

And there was no way to store the OAuth "app secret" string on the server.
And thus I know that my app is vulnerable (for impersonation of other
users) and the ease of AIR decompilation doesn't help there.

I think you keep insisting, that it's possible to keep the secret part
outside the app, because you haven't really implemented such an app from
beginning to the end.


On Tue, Feb 25, 2014 at 2:37 PM, Tom Chiverton <tc@extravision.com> wrote:

> On 25/02/2014 13:14, Alexander Farber wrote:
>> If you keep it there, your app needs to download it -
>> then the attacker can do it as well.
> No, it doesn't need to.
> You can send the user details to the server, and it would do the
> encryption and proxy it on to the service, returning the results. The
> encryption key for that stays secure on the server.

  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message