flex-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Deepak MS <megharajdee...@gmail.com>
Subject Re: Flex AIR iPad App security concerns
Date Wed, 04 Mar 2015 14:43:29 GMT
Thanks Tomislav, I'll try that as well. File size would be quite big,
around 200 - 250MB. May be I need to decode it back in chunks.

On Wed, Mar 4, 2015 at 5:34 PM, Tomislav Pokrajcic <tomislav@svemir.net>
wrote:

> If your system works with user accounts, you can use them to restrict
> access to sensitive data (like contents of a zip file).
> E.g. don't serve zip file from an open URL but make it available only
> through protected server side call accessible to users with existing
> accounts.
> Easy way to do it is to encode zip to Base64 and serve it to the client as
> a string within AMF, JSON, XML or whatever data structure.
> That way there's no need to hardcode any passwords.
> Cheers,
>
> Tomislav
>
>
>
> On 4.3.2015. 11:40, Deepak MS wrote:
>
>> Hi Tom,
>> Ok. This is how it's all setup:
>> Firstly db file gets downloaded on the device which is a password
>> protected
>> zip file. I'm using ANEZipFile ANE to unzip this zip file(
>> https://github.com/xperiments/ANEZipFile) and I'm using unzip method from
>> it [ unzip(zipfile : File, destination : File, overwrite : Boolean =
>> false,
>> password : String = "") : void;) ]
>>
>> I need to pass the password while calling unzip method. Whether I pass a
>> variable to 'password' parameter here or even if I directly pass the
>> password value, it shows up in that console. Whether I store the password
>> in my code or whether I get it from a service from backend, ultimately I
>> need to pass it to this method and it might show up again on that console.
>> I'm not sure how else I can pass the password to unzip method. For that
>> matter, I reckon the tool can hack the native extension's code too?
>>
>> That's one part and as you said, the db location is something like this
>> https://myserver.com/ipaddata/dbfile.zip . We can easily browse this and
>> download the zip file. We are not able to restrict it. If we restrict it
>> we
>> get stream error in the app and app cannot download the file. ;( Hence I
>> wondered, if atleast password can be hidden, there can be some relief.
>>
>> Hi Erik,
>> Thanks for the link. I'll give that too a try.
>>
>> On Wed, Mar 4, 2015 at 3:26 PM, Tom Chiverton <tc@extravision.com> wrote:
>>
>>  There are also dedicated .swf obfuscating products I suppose.
>>>
>>> Tom
>>>
>>>
>>> On 04/03/15 09:49, Erik de Bruin wrote:
>>>
>>>  You may want to check out this technique:
>>>>
>>>> http://www.ghostwire.com/blog/archives/as3-hiding-assets-
>>>> and-code-by-embedding-swf-within-another-swf/
>>>>
>>>> EdB
>>>>
>>>>
>>>>
>>>> On Wed, Mar 4, 2015 at 9:17 AM, Deepak MS <megharajdeepak@gmail.com>
>>>> wrote:
>>>>
>>>>  Hello,
>>>>> We have developed some apps specifically for iPads and there have been
>>>>> rigorous testing from security team using some hacking tools. What
>>>>> these
>>>>> tools do is they display all the code variables and their values from
>>>>> the
>>>>> ipa file that we provide to them. Due to this, our app db
>>>>> locations(sqlite
>>>>> files for offline app) and passwords used(to unzip a secured zip file,
>>>>> that
>>>>> gets downloaded, using ANEZipFile native extension) are clearly
>>>>> exposed.
>>>>> It
>>>>> literally shows all the coding that has been done (still wondering how
>>>>> can
>>>>> this be possible from swf and then from ipa).
>>>>>
>>>>> I'm new to security thingie and have no idea. Can anyone who have
>>>>> worked
>>>>> on
>>>>> this kindly  share best practices?
>>>>>
>>>>> Some screenshots from the tool which shows the variables and values
>>>>> used
>>>>> in
>>>>> the app:
>>>>>
>>>>> http://pbrd.co/1M69vES
>>>>> http://pbrd.co/1M69MYB
>>>>>
>>>>> App is built using Flex 4.13FP15AIR15.
>>>>>
>>>>> Appreciate your help.
>>>>>
>>>>>
>>>>
>>>>
>
> ---
> This email is free from viruses and malware because avast! Antivirus
> protection is active.
> http://www.avast.com
>
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message