My General 50ct to this Topic :-) Well I guess this is one of the Problems every Programm has. No matter if ActionScript, Java, C even if you're sick enough to use Assembler. As Long as the Computer hat so work with it, it has to somehow be able to Access it. If the Computer can Access it, a hacker can Access it.
When it Comes to Software, there is no 100% protection and you can bet: If it's common and worth stealing, there will probably be exploits available to steal it. You can however make it hard for others to steal. The more effort you put into this the harder you will make stealing it. Usually I settle with an amount of protection that is a compromise between protection and effort I have to put in. But in order to make it 100% safe you would probably have to put an infinite amount of work into it. Some times it is also a good Option to re-think if you even have to save a secret at all. If for example you want to implement a Login mechanism. You could save the Password in some Ultra safe Location you came up with and compare the Input with that, but you could omit that and simply implement a way to validate a Password without storing it in a way that you can't get the Password back from. Like the saving the crypto-hash of the Password and using that. Chris ________________________________________ Von: Alexander Farber <[email protected]> Gesendet: Mittwoch, 26. Februar 2014 08:56 An: [email protected] Betreff: Re: Air apps easily decompiled and hacked Hello Alex and Tom, I am not sure, where native apps hold the "app secret" for the OAuth. For Facebook you can use its native Android/iOS SDKs... But for other social networks you have to use the OAuth flow. I was just trying to make the point that sometimes you don't have other options than to hide something in the app... And Tom's suggestion to proxy authentication through a server isn't good because it defeats the easyness of OAuth (the user has to register username/password at your server first) Regards Alex On Tue, Feb 25, 2014 at 6:59 PM, Alex Harui <[email protected]> wrote: > Where do native apps keep the "app-secret" if it isn't supposed to be in > client-side code? >
