[Chugalug] Dropbox (and other Python Apps) Reverse-Engineered

DaWorm daworm at gmail.com
Wed Aug 28 19:23:26 UTC 2013


On Wed, Aug 28, 2013 at 2:47 PM, Benjamin Stewart <stewartbenjamin at gmail.com
> wrote:

> I agree. In fact, that's my strategy.
>
> The problem I've run into in the past, however, is essentially the same as
> dropbox's biggest problem above. That is, being able to do something
> automatically for the user without making them enter a password every
> single time. As soon as you cache a password(or token), you have a secret.
> You can't encrypt it securely, either, because the code must necessarily
> have the key at that point, and your attacker can see the code and the key.
>
> I suppose the proper answer is simply never to do that, but people (users,
> not me!) want programs to remember them.
>

We've been dealing with this as well where I work with a mobile app.
 Making it totally secure is difficult, if not impossible.  The thing is,
even with a user entered password, all is not well.  If the attacker can
get you to update to a compromised app, then the altered code can easily
copy the password entered and send it off to the attacker for use later.

Jeff
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://chugalug.org/pipermail/chugalug/attachments/20130828/05dfae92/attachment-0001.html>


More information about the Chugalug mailing list