I have implemented and deployed an iOS/Android/BB app with OAuth authentication against Facebook (yes, I could better use ANE there) and (Russian social networks) Vk.com, Mail.ru, Odnoklassniki (main target of my app and there are no SDKs or ANEs) -
And there was no way to store the OAuth "app secret" string on the server. And thus I know that my app is vulnerable (for impersonation of other users) and the ease of AIR decompilation doesn't help there. I think you keep insisting, that it's possible to keep the secret part outside the app, because you haven't really implemented such an app from beginning to the end. Regards Alex On Tue, Feb 25, 2014 at 2:37 PM, Tom Chiverton <[email protected]> wrote: > On 25/02/2014 13:14, Alexander Farber wrote: > >> If you keep it there, your app needs to download it - >> then the attacker can do it as well. >> > No, it doesn't need to. > > You can send the user details to the server, and it would do the > encryption and proxy it on to the service, returning the results. The > encryption key for that stays secure on the server. > >
