I am creating Air (AS3) project. It will be have own system of protection. All data from the server to the application and back is encrypted. I use a secret key which is registered in a server-side scripts and in the application. If a hacker decompiled the app, it can find 开发者_JAVA百科out the secret key. The secret key is the string (constant). I do not want to make obfuscation for my application.
How can I hide this secret key? Can I obfuscate only it? Can I obfuscate separate AS3 class with secret data and then access to it from the main code when needed?
If you don't want someone decompiling the app and finding the key, then your best bet is to never put the key into the applicaiton. Instead, force them to authenticate to your server (over TLS/SSL) to get a key which is negotiated at runtime on a per-client basis.
Once the symmetric key is negotiated, then you can use it to encrypt/decrypt your data for transit. Of course, this raises the question of why don't you just use SSL in the first place? That gives you end-to-end encryption between client and server already.
Of course, an attacker could still pull the decryption key from RAM when the app is running on their system. So they could decrypt the data between the app they're running and the server, but wouldn't be able to decrypt the data being transmitted by other app users (because they each have a different key).
You cannot put the key into the app in any way that can never be found by an attacker. Your app needs to find and use it; the process of your app doing so will lead the attacker to it. So don't put it in there.
If hacker fully decompiles your app, your secret can be traced out easily, no matter how it's storage is obfuscated.
If you want to keep obfuscation minimal, you need to obfuscate every area where secret key is used. If it goes out of "undecompilable" area, it is gone.
![Interactive visualization of a graph in python [closed]](https://www.devze.com/res/2023/04-10/09/92d32fe8c0d22fb96bd6f6e8b7d1f457.gif)
加载中,请稍侯......
精彩评论