If this is about just looking for sensitive strings in the compiled binary then they could be stored obfuscted or maybe even as a simple array of bytes.
2015年3月4日水曜日、Tom Chiverton<[email protected]>さんは書きました: > It sounds like they used a combination of decompiling and static code > analysis ? Or maybe as simple as 'strings' on the file. > This is nothing special to AIR (or .swf) applications, and it's a huge > topic. > > If you have sensitive data (like passwords) the general advice is > > * don't use the same password for every install > For instance, generate a new password when the application registers > * don't store the password in the app > Have the app ask the server for the password when it starts up > > In your case, you are unzipping a password protected ZIP ? So you are > making a server request anyway. > I assume you are protecting against someone capturing the request and > obtaining their own copy of your files ? > I don't know your threat model, but you should be aware users can just > browse the file system on the device to get the files after extraction, or > brute force the .zip password (depending on the encryption scheme), for > instance. > > We could talk all day about threat analysis, risk/reward and return on > investment :-) > > Tom > > On 04/03/15 08:17, Deepak MS wrote: > >> I'm new to security thingie and have no idea. Can anyone who have worked >> on >> this kindly share best practices? >> > >
