flex-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Alex Harui <aha...@adobe.com>
Subject Re: Air apps easily decompiled and hacked
Date Tue, 25 Feb 2014 17:59:48 GMT
I think I'm missing something, but I'm certainly not an expert in this
area.  Where do native apps keep the "app-secret" if it isn't supposed to
be in client-side code?

-Alex

On 2/25/14 8:00 AM, "Tom Chiverton" <tc@extravision.com> wrote:

>I see, this is one of those cases where you can make a trade off isn't it
>?
>
>You can do on-device no-server authentication direct to an API, but this
>exposes the secrets to reverse engineering.
>Or you can choose to mediate everything via your own server, which
>mitigates that issue but drives up complexity and (ongoing) costs.
>
>In the specific case of FaceBook, this is the offline access scope - you
>grab the token once and then store it against the user on the server,
>and the client app then asks you server for everything rather than
>FaceBook. That on-device client app doesn't need to see any part of the
>initial 'allow access' web browser flow, so again the secret can be kept
>on the server.
>
>Unless I'm misreading.
>
>Tom


Mime
View raw message