flex-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Alexander Farber <alexander.far...@gmail.com>
Subject Re: Air apps easily decompiled and hacked
Date Fri, 28 Feb 2014 13:55:31 GMT
Yes, Justin, you can see, but there is nothing secret there :-)

The "app secret" is used to build a query to Facebook/etc. to get data.

The "app secret" is appended to the "query string" and a hash is produced.

If you sniff the resulting hashed data from the network -
you win nothing as attacker.

But if you get the "app secret" from the app - you can
impersonate other users and send queries to Facebook/etc.
on their behalf.


On Fri, Feb 28, 2014 at 9:07 AM, Justin Mclean <justin@classsoftware.com>wrote:

> If the secret is stored in the client you may have to even decompile to
> app to get at it, just use a reverse proxy and you can see everything sent
> backward and forwards even if the app is using SSL.

  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message