Thanks Tomislav, I'll try that as well. File size would be quite big, around 200 - 250MB. May be I need to decode it back in chunks.
On Wed, Mar 4, 2015 at 5:34 PM, Tomislav Pokrajcic <[email protected]> wrote: > If your system works with user accounts, you can use them to restrict > access to sensitive data (like contents of a zip file). > E.g. don't serve zip file from an open URL but make it available only > through protected server side call accessible to users with existing > accounts. > Easy way to do it is to encode zip to Base64 and serve it to the client as > a string within AMF, JSON, XML or whatever data structure. > That way there's no need to hardcode any passwords. > Cheers, > > Tomislav > > > > On 4.3.2015. 11:40, Deepak MS wrote: > >> Hi Tom, >> Ok. This is how it's all setup: >> Firstly db file gets downloaded on the device which is a password >> protected >> zip file. I'm using ANEZipFile ANE to unzip this zip file( >> https://github.com/xperiments/ANEZipFile) and I'm using unzip method from >> it [ unzip(zipfile : File, destination : File, overwrite : Boolean = >> false, >> password : String = "") : void;) ] >> >> I need to pass the password while calling unzip method. Whether I pass a >> variable to 'password' parameter here or even if I directly pass the >> password value, it shows up in that console. Whether I store the password >> in my code or whether I get it from a service from backend, ultimately I >> need to pass it to this method and it might show up again on that console. >> I'm not sure how else I can pass the password to unzip method. For that >> matter, I reckon the tool can hack the native extension's code too? >> >> That's one part and as you said, the db location is something like this >> https://myserver.com/ipaddata/dbfile.zip . We can easily browse this and >> download the zip file. We are not able to restrict it. If we restrict it >> we >> get stream error in the app and app cannot download the file. ;( Hence I >> wondered, if atleast password can be hidden, there can be some relief. >> >> Hi Erik, >> Thanks for the link. I'll give that too a try. >> >> On Wed, Mar 4, 2015 at 3:26 PM, Tom Chiverton <[email protected]> wrote: >> >> There are also dedicated .swf obfuscating products I suppose. >>> >>> Tom >>> >>> >>> On 04/03/15 09:49, Erik de Bruin wrote: >>> >>> You may want to check out this technique: >>>> >>>> http://www.ghostwire.com/blog/archives/as3-hiding-assets- >>>> and-code-by-embedding-swf-within-another-swf/ >>>> >>>> EdB >>>> >>>> >>>> >>>> On Wed, Mar 4, 2015 at 9:17 AM, Deepak MS <[email protected]> >>>> wrote: >>>> >>>> Hello, >>>>> We have developed some apps specifically for iPads and there have been >>>>> rigorous testing from security team using some hacking tools. What >>>>> these >>>>> tools do is they display all the code variables and their values from >>>>> the >>>>> ipa file that we provide to them. Due to this, our app db >>>>> locations(sqlite >>>>> files for offline app) and passwords used(to unzip a secured zip file, >>>>> that >>>>> gets downloaded, using ANEZipFile native extension) are clearly >>>>> exposed. >>>>> It >>>>> literally shows all the coding that has been done (still wondering how >>>>> can >>>>> this be possible from swf and then from ipa). >>>>> >>>>> I'm new to security thingie and have no idea. Can anyone who have >>>>> worked >>>>> on >>>>> this kindly share best practices? >>>>> >>>>> Some screenshots from the tool which shows the variables and values >>>>> used >>>>> in >>>>> the app: >>>>> >>>>> http://pbrd.co/1M69vES >>>>> http://pbrd.co/1M69MYB >>>>> >>>>> App is built using Flex 4.13FP15AIR15. >>>>> >>>>> Appreciate your help. >>>>> >>>>> >>>> >>>> > > --- > This email is free from viruses and malware because avast! Antivirus > protection is active. > http://www.avast.com > >
