While working on one of my recent actionscript project, I came across some interesting and useful information on the Tamarin project site. Tamarin, of course, is the actionscript virtual machine responsible for running actionscript codes in the Flash Player. I am sure someone else must have blogged about them somewhere on the web, but I still want to mention them again here.
Thursday, April 22, 2010
Wednesday, April 21, 2010
Defeating Nitro-LM
I have been working on a flash project that calls for some basic intellectual property protection mechanisms, which led me to discover a neat little commercial encryption framework called Nitro-LM.
Before I go any further, I want to point out two things. First, I am all for open-source and sharing codes (which is the main reason why I started this blog), but there are definitely situations when you want to encrypt part of the code, for your own benefits as well as the protections of your users. For instance, let's say you have developed an awesome online game, you certainly do not want a cheater to reverse-engineer your code, exploit it, and ruin the fun for other players, right? Second, I admit that client-side code is never 100% secured. This is especially true for flash applications, which can easily be decompiled. Even if you apply all the encryption and obfuscation technologies in the world to protect your code, an overly zealous hacker can still, given enough time and effort, reconstruct the source code from bytecode.
Therefore, let's agree that the purpose of any intellectual property protection mechanism is not to prevent others from exploiting your code, but rather to make the process of reverse-engineering less cost-effective than actually playing by the rules. That's said, I set out to test if this Nitro-LM framework is enough for my task.
Before I go any further, I want to point out two things. First, I am all for open-source and sharing codes (which is the main reason why I started this blog), but there are definitely situations when you want to encrypt part of the code, for your own benefits as well as the protections of your users. For instance, let's say you have developed an awesome online game, you certainly do not want a cheater to reverse-engineer your code, exploit it, and ruin the fun for other players, right? Second, I admit that client-side code is never 100% secured. This is especially true for flash applications, which can easily be decompiled. Even if you apply all the encryption and obfuscation technologies in the world to protect your code, an overly zealous hacker can still, given enough time and effort, reconstruct the source code from bytecode.
Therefore, let's agree that the purpose of any intellectual property protection mechanism is not to prevent others from exploiting your code, but rather to make the process of reverse-engineering less cost-effective than actually playing by the rules. That's said, I set out to test if this Nitro-LM framework is enough for my task.
Labels:
Nitro-LM
Sunday, April 18, 2010
Facebook and Google Map with PhoneGap
I have been experimenting with a neat little framework created by the folks at PhoneGap recently, and I am quite impressed by the results. This framework allows developer to build HTML and Javascript applications that take advantage of the special features, such as GPS, on iPhone, iPad, Android, Palm, and Blackberry.
The first thing I tried is to get the GPS location and display the coordinates on Google Map. It works quite perfectly. Next, I want to connect the application to Facebook. Things get a little trickier. Since the HTML and Javascript code are stored and run locally on the device as part of the application, I need to find a way to get the session key and the session secret from Facebook. While there exists third party libraries for developing Desktop Facebook applications, I prefer to write my own code.
Loading the session key and the session secret from Facebook is rather trivial. I simply tell Facebook to post the information to a callback page on a server and remit the information. The problem is, however, that the callback page and the local javascript run in separate security sandboxes; the local javascript cannot access the information remitted by the callback page. Here is where HTML5 comes to the rescue.
The first thing I tried is to get the GPS location and display the coordinates on Google Map. It works quite perfectly. Next, I want to connect the application to Facebook. Things get a little trickier. Since the HTML and Javascript code are stored and run locally on the device as part of the application, I need to find a way to get the session key and the session secret from Facebook. While there exists third party libraries for developing Desktop Facebook applications, I prefer to write my own code.
Loading the session key and the session secret from Facebook is rather trivial. I simply tell Facebook to post the information to a callback page on a server and remit the information. The problem is, however, that the callback page and the local javascript run in separate security sandboxes; the local javascript cannot access the information remitted by the callback page. Here is where HTML5 comes to the rescue.
Sunday, April 11, 2010
Simple PHP Facebook API
Facebook is by far the most popular social networking site on the web. If you are a web application developer, chances are you have tried to use the Facebook API at least once. While the Facebook developer platform offers Facebook Connect and Client Libraries for various languages, including PHP, Javascript, ASP.NET, and Actionscript, these libraries are, in my opinion, rather hefty.
In one of my recent projects, I wanted to allow my client and server code to interface with Facebook "directly". Of course, one should avoid hardcoding the Facebook App API Key into the client code, and one should NEVER transmit the Facebook App Secret to the client side at all. Therefore, any client calls to the Facebook API should be passed through a server.
In one of my recent projects, I wanted to allow my client and server code to interface with Facebook "directly". Of course, one should avoid hardcoding the Facebook App API Key into the client code, and one should NEVER transmit the Facebook App Secret to the client side at all. Therefore, any client calls to the Facebook API should be passed through a server.
Saturday, April 10, 2010
Welcome to HackaBee
Welcome to HackaBee.
As an amateur web application developer and an all-too-typical geek, I come across some interesting discoveries and new tricks on software architecture and system security every now and then during research and development. The purpose of this blog is to document these findings for my personal amusement, to share them with other developers, and to connect with like-minded individuals across the web.
I would like to stress that while I enjoy, as a hobby and an academic exercise, hacking and reverse-engineering, I think the matter of internet security very seriously. The ultimate goal of any hacking attempt is to use the knowledge to help improve overall security. Please do not use any of the information posted on this blog to exploit others or to carry out unauthorized attacks on a security system. Remember "with great power comes great responsibility".
Hope you enjoy this blog and have fun hacking ethically.
As an amateur web application developer and an all-too-typical geek, I come across some interesting discoveries and new tricks on software architecture and system security every now and then during research and development. The purpose of this blog is to document these findings for my personal amusement, to share them with other developers, and to connect with like-minded individuals across the web.
I would like to stress that while I enjoy, as a hobby and an academic exercise, hacking and reverse-engineering, I think the matter of internet security very seriously. The ultimate goal of any hacking attempt is to use the knowledge to help improve overall security. Please do not use any of the information posted on this blog to exploit others or to carry out unauthorized attacks on a security system. Remember "with great power comes great responsibility".
Hope you enjoy this blog and have fun hacking ethically.
Labels:
Announcement
Subscribe to:
Posts (Atom)