On Mon, Jun 8, 2009 at 4:20 PM, Shan<[email protected]> wrote: > > What I've done is used my server to sign requests for the Flex app, so > the secret key is not in the actionscript source code.
This problem isn't solvable, because it's fundamentally a DRM problem. Any application that executes code on the user's machine is fundamentally un-trustable. This will always be true, and there's no point in trying to find a way to prevent un-intended uses of consumer keys that have been distributed to clients. Accept that it's a risk, factor that risk into interface design and use cases, and move on. FWIW, the approach of using your server to sign requests for a flex app ultimately (though probably not in practice) has exactly the same effect as distributing those consumer keys in plain text, except that you need to do the signature work instead of phishers or other attackers. b. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "OAuth" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~----------~----~----~----~------~----~------~--~---
