[Chugalug] Dropbox (and other Python Apps) Reverse-Engineered
daworm at gmail.com
Wed Aug 28 19:23:26 UTC 2013
On Wed, Aug 28, 2013 at 2:47 PM, Benjamin Stewart <stewartbenjamin at gmail.com
> I agree. In fact, that's my strategy.
> The problem I've run into in the past, however, is essentially the same as
> dropbox's biggest problem above. That is, being able to do something
> automatically for the user without making them enter a password every
> single time. As soon as you cache a password(or token), you have a secret.
> You can't encrypt it securely, either, because the code must necessarily
> have the key at that point, and your attacker can see the code and the key.
> I suppose the proper answer is simply never to do that, but people (users,
> not me!) want programs to remember them.
We've been dealing with this as well where I work with a mobile app.
Making it totally secure is difficult, if not impossible. The thing is,
even with a user entered password, all is not well. If the attacker can
get you to update to a compromised app, then the altered code can easily
copy the password entered and send it off to the attacker for use later.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Chugalug