flex-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Tom Chiverton ...@extravision.com>
Subject Re: Flex AIR iPad App security concerns
Date Wed, 04 Mar 2015 09:02:26 GMT
It sounds like they used a combination of decompiling and static code 
analysis ? Or maybe as simple as 'strings' on the file.
This is nothing special to AIR (or .swf) applications, and it's a huge 
topic.

If you have sensitive data (like passwords) the general advice is

* don't use the same password for every install
For instance, generate a new password when the application registers
* don't store the password in the app
Have the app ask the server for the password when it starts up

In your case, you are unzipping a password protected ZIP ? So you are 
making a server request anyway.
I assume you are protecting against someone capturing the request and 
obtaining their own copy of your files ?
I don't know your threat model, but you should be aware users can just 
browse the file system on the device to get the files after extraction, 
or brute force the .zip password (depending on the encryption scheme), 
for instance.

We could talk all day about threat analysis, risk/reward and return on 
investment :-)

Tom

On 04/03/15 08:17, Deepak MS wrote:
> I'm new to security thingie and have no idea. Can anyone who have worked on
> this kindly  share best practices?


Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message