I'm working on a desktop application that uses API keys for Twitter but AFAIK, AIR applicatioons are easy to decompile. I want the processing of the API requests to be client-side, not server-sided. At most, I want to keep the dependency onto the server to as low as possible.
What I'm thinking is sending the API from the server to the AIR app on the first run. I've already seen Shared secret with API in an Ajax Adobe AIR app but my question is a bit different in that, I want to know how secure ELS is?
How does Adobe work it's way to storing stuff into the ELS? Does it go through multiple encryption sessions before finally getting stored somewhere on the computer?
Anything that an application on the user's desktop can read, can also be read by the user himself. They can get the key by using a proxy (like Charles) when you send it from or to the server; or they can read it with a debugger when AIR writes it to the ELS.
If I'm not mistaken, Twitter's API keys are public anyway (its only purpose is to track how you are using their API). Are you worried that a user might use your key for their own application? If they do that, all you have to do is get a new Twitter key.
Related
I'm trying to build my first Sproutcore App and I struggle to connect it to a MySQL-Database or any datasource other than fixture. I can't seem to find ANY tutorial except this one from 2009 which is marked as deprecated: http://wiki.sproutcore.com/w/page/12413058/Todos%2007-Hooking%20Up%20to%20the%20Backend .
Do people usually not connect SC-Apps to a Database? If they do so, how do they find out how to? Or does the above mentioned tutorial still work? A lot of gem-commands in the introduction seems to already differ from the official Sproutcore getting-started-guide.
SproutCore apps, as client-side "in-browser" apps, cannot connect directly to a MySQL or any other non-browser database. The application itself runs only within the user's browser (it's just HTML, CSS & JavaScript once built and deployed) and typically accesses any external data via XHR requests to an API or APIs. Therefore, you will need to create a service wrapper around your MySQL database in order for your client-side app to be able to load and update data.
There are two things worth mentioning. The first is that since the SproutCore app contains all of your user interface and a great deal of business logic, your API can be quite simple and should only return raw data (such as JSON). The second is that, I should mention that the client-server design, while more tedious to implement, is absolutely necessary in practice, because you can never trust the client side code, which is in the hands of a possibly nefarious user. Therefore, your API should also act as the final gatekeeper to validate all requests from the client.
This tutorial I found helped me a lot. Its very brief and demonstrates how to implement a very simple login-app, how to send post-requests (triggered by the login-button-action) to the backend-server and how to asynchronously process the response inside the Sproutcore-App:
http://hawkins.io/2011/04/sproutcore_login_tutorial/
Is it possible to create an ApplicationUpdater in an AIR app that uses some sort of authentication (perhaps HTTP Basic) to download updates from the server? I want to enable auto-updating in a proprietary application, so it doesn't make sense to upload updates to a publicly accessible web location, since only people who already have the application should be able to get updates.
If I understand this what you wrote the right way you just use XML on your Server which will at start up read out IF OR IF NOT to update just the same way the ADOBE updater works, and with that you can use true / false etc. at least that how I did it with some of my AIR Applications! all can be enforced (visible or invisible) or just by the user done like YES / NO etc. endless options. regards aktell
I have a given Javascript browser application with login screen and data display screen. It does request JSON data via calls that are always the same (i.e. http://myserver.lol/api/getData?mobile), the data changing only slightly over time.
What I want is a mobile app for Android/iOS/Windows Phone/Blackberry, which
-> at best "caches" the whole web site (html/js...) in the app, so I don't have to rebuild the app whenever the web app changes;
-> provides some form of "auto-login"/"auto-form-fill", so the user does not have to give his credentials every time, and
-> some kind of long-term cache for the JSON data, so it is requested from server when a fast network connection (LTE/WLAN) is available, but taken from Cache on GSM or without connection.
Which Framework would allow to implement this the easiest? I am just now looking at the PhoneGap docs and the Titanium docs, but I guess I am overlooking something, or don't they provide an easy solution for this? Or perhaps you have an insider tip for me on another framework?
You can definitely handle this buy using both frameworks. I use only Phonegap / Cordova.
I would do this all by building the application with Phonegap together with AngularJS.
You can use templates in there, so you don't have to fetch the Ui from your server.
To cache data (user credentials or JSON data) I would just use the localStorage which is available on all devices (see here).
I recommend angularJS because it is a really great framework which helps you build Web-Applications really fast (but if you already have an existing application this might not be an option for you).
I hope this helps ;-)
So this is more of a general question about apps and techniques rather than a specific code question...
When developing an larger app, how would a developer access lots of data from a website. The example I'll use is an app like Yelp. They have both a web-access site and an app, both share the same information. I would imagine that information like that is stored on the website via some sort of MySQL database and the iOS device access's it as needed based on the user's requests.
How might a developer writing an app start something like this? I assume you need to somehow securely tie the MySQL database to iOS and so on. I've seen a lot of techniques on the web, but they all seem very simple and not safe for a large scale app.
Any ideas would be awesome!
The key term you're looking for is "API" (Application Programming Interface).
A Yelp iOS app won't access Yelp's databases directly. There will be a layer (I simplify here somewhat) between that and the iOS app; this layer will provide a series of methods (the API) by which clients can make queries and potentially manipulate remote state.
A common API format is JSON over HTTP, and indeed, this is what the official Yelp API seems to be.
Good starting points would be the documentation for NSURLConnection and NSJSONSerialization, and the Yelp API documentation I link above.
Over the years I've become an uber-nerd when it comes to flash game development. Now I'm thinking about looking into using my skills for helping other game-developers out there.
I want to develop an API in AS3 which will allow the developer to do (as a start) the following:
Display a dialogue which lets the user log into their "account" (hosted on my site).
Send a score/value to the website and attribute it to the logged in user.
Unlock an achievement (achievements will be set up by the developer in the web interface - which is where they will also get a key of some type to use with their API.
Display high scores, other players profiles in-game, etc (show basically any stats in-game).
All easy enough to develop straight off the bat. However; where it becomes frustrating is security. I'm not expecting an indestructible solution that I'm fully aware isn't possible, but what would be the most defensive way to approach this?
Here are the issues that I can think up on the spot:
The big one - people stealing the API key via man-in-the-middle attack.
Highscore injection, false achievement unlocks.
Decompiling the SWF and stealing the API key.
Using the API key to create a dummy flash application and send random data like highscores.
Altering the API itself so you don't need to be logged in, etc.
One thought I've had was converting my API to a component so there's no access to the code (unless you decompile). The problem here is it's just not friendly to the developers, though it would allow me to create my own graphics for the UI (rather than coding many, many sprites).
Private/public keys won't work unless there is very good protection against decompiling.
I'm beginning to wonder if this idea is a dead end.
Any advice on securing this (or parts of it) would be great.
Look at this thread first if you haven't done so already: What is the best way to stop people hacking the PHP-based highscore table of a Flash game
Against man-in-the-middle HTTPS seems the only option. It may have its vulnerabilities, but it's way better than any home-made solution. The problem that you'll need actual certificate from authorized center, because ActiveX-based Flash plugin will not trust self-signed certificate.
Should not be possible without decompilation
SecureSWF with reasonably high settings (code execution path obfuscation and encrypted strings) should beat most decompilers. Sure, SWF can be examined with hex editor, but this will require very determined hacker.
Should not be possible without decompilation
API should be on server and any API function would require user context (loaded by HTTPS)
Also add encryption to flash shared objects\cookies. I had successfully altered some savegames using simple hex editor, because they were just objects in AMF format. Encryption will depend on SWF decompilation, but since we are using SecureSWF... Or move savegames on server.
client side is never secure enough, so i'd suggest to take all the logic to the server, reducing client to just UI.
If it's impossible due to network timeouts - send scores/achievements only with the log of pairs "user_action - game_state" and verify it on the server.