04-29-2011 11:13 AM
04-29-2011 11:16 AM - edited 04-29-2011 11:20 AM
This is a little concerning, though, not truly a surprise. I am disappointed that this seems to be so easy to pull off. I hope that RIM pushes out a fix for this soon.
I wonder if putting specific air features in your application would break this hack from working in browser. I believe SQLite only works with AIR. That should mean that SQLite commands should, in theory, break the application. It might help to lock down your application by catching errors and using those as a way of ejecting from a normal run cycle. I am only speculating on this until it can be tested, but I think it should work.
I guess you could go simpler and test whether the app is running in the Air environment, or with the Flash Player in a browser. You should be able to use this as your ejection check. Again, just mulling possibilities.
I am in the testing phase with my paid app... I wonder if I would better off just keeping that application to myself, or releasing in other markets until this is fixed by RIM.
04-29-2011 11:17 AM
Staff UI Prototyper (read: full-time hacker)
04-29-2011 11:18 AM
It would appear from this that RIM puts its security efforts into the wrong places.
All the stuff that we have gone through in the past couple of weeks with the debug tokens, all the **bleep** that we put up with just to deploy our own apps to our own hardware for the sake of security...procedures that are just plain annoying and getting in the way of productivity. And then we find out this bit of news.
Amazing (I have other words instead of that one, but I suppose this is a family-friendly forum).
04-29-2011 11:23 AM
Wow this is huge security issue RIM! No encryption or security at all!
04-29-2011 11:25 AM
I feel violated! This is a ridiculous oversight.
DM backups should be disabled until they can be properly secured by encription. Or apps should not be backed up at all. They can be reinstallrd from AppWorld if necessary.
Is anybody at RIM listening?
04-29-2011 11:27 AM - edited 04-29-2011 11:28 AM
This is a pretty big security flaw.........
It seems that they can be extracted from Desktop Manager backup files. Why aren't these backup files encrypted?
04-29-2011 11:30 AM
04-29-2011 11:31 AM - edited 04-29-2011 11:43 AM
Well, knowing how swf are loaded, this is a normal behaviour I would say: extracting swf is part of the game, like extracting a simple jar file. Also reverse engineering is always possible in all technologies.
All the signing process is there only to protect the PlayBook: only signed stuff can be executed on the PB. But extracted content, as swf, can be run in any FlashPlayer.
-it's up to the dev. to put in place some check that forbid execution if not run on a PlayBook. => this should be provided as a QNX API.
-what also can be "fixed" (asap...) is the "exposing" of swf files in the .bbb files for sure.
-app. can also use "dynamic" license.
-and for reverse engineering... well, it's against the law.