It sounds like they used a combination of decompiling and static code
analysis ? Or maybe as simple as 'strings' on the file.
This is nothing special to AIR (or .swf) applications, and it's a huge
topic.
If you have sensitive data (like passwords) the general advice is
* don't use the same password for every install
For instance, generate a new password when the application registers
* don't store the password in the app
Have the app ask the server for the password when it starts up
In your case, you are unzipping a password protected ZIP ? So you are
making a server request anyway.
I assume you are protecting against someone capturing the request and
obtaining their own copy of your files ?
I don't know your threat model, but you should be aware users can just
browse the file system on the device to get the files after extraction,
or brute force the .zip password (depending on the encryption scheme),
for instance.
We could talk all day about threat analysis, risk/reward and return on
investment :-)
Tom
On 04/03/15 08:17, Deepak MS wrote:
I'm new to security thingie and have no idea. Can anyone who have worked on
this kindly share best practices?
