flex-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Deepak MS <megharajdee...@gmail.com>
Subject Re: Flex AIR iPad App security concerns
Date Wed, 04 Mar 2015 10:40:18 GMT
Hi Tom,
Ok. This is how it's all setup:
Firstly db file gets downloaded on the device which is a password protected
zip file. I'm using ANEZipFile ANE to unzip this zip file(
https://github.com/xperiments/ANEZipFile) and I'm using unzip method from
it [ unzip(zipfile : File, destination : File, overwrite : Boolean = false,
password : String = "") : void;) ]

I need to pass the password while calling unzip method. Whether I pass a
variable to 'password' parameter here or even if I directly pass the
password value, it shows up in that console. Whether I store the password
in my code or whether I get it from a service from backend, ultimately I
need to pass it to this method and it might show up again on that console.
I'm not sure how else I can pass the password to unzip method. For that
matter, I reckon the tool can hack the native extension's code too?

That's one part and as you said, the db location is something like this
https://myserver.com/ipaddata/dbfile.zip . We can easily browse this and
download the zip file. We are not able to restrict it. If we restrict it we
get stream error in the app and app cannot download the file. ;( Hence I
wondered, if atleast password can be hidden, there can be some relief.

Hi Erik,
Thanks for the link. I'll give that too a try.

On Wed, Mar 4, 2015 at 3:26 PM, Tom Chiverton <tc@extravision.com> wrote:

> There are also dedicated .swf obfuscating products I suppose.
> Tom
> On 04/03/15 09:49, Erik de Bruin wrote:
>> You may want to check out this technique:
>> http://www.ghostwire.com/blog/archives/as3-hiding-assets-
>> and-code-by-embedding-swf-within-another-swf/
>> EdB
>> On Wed, Mar 4, 2015 at 9:17 AM, Deepak MS <megharajdeepak@gmail.com>
>> wrote:
>>> Hello,
>>> We have developed some apps specifically for iPads and there have been
>>> rigorous testing from security team using some hacking tools. What these
>>> tools do is they display all the code variables and their values from the
>>> ipa file that we provide to them. Due to this, our app db
>>> locations(sqlite
>>> files for offline app) and passwords used(to unzip a secured zip file,
>>> that
>>> gets downloaded, using ANEZipFile native extension) are clearly exposed.
>>> It
>>> literally shows all the coding that has been done (still wondering how
>>> can
>>> this be possible from swf and then from ipa).
>>> I'm new to security thingie and have no idea. Can anyone who have worked
>>> on
>>> this kindly  share best practices?
>>> Some screenshots from the tool which shows the variables and values used
>>> in
>>> the app:
>>> http://pbrd.co/1M69vES
>>> http://pbrd.co/1M69MYB
>>> App is built using Flex 4.13FP15AIR15.
>>> Appreciate your help.

  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message