Differences between Commercial and Community versions of LiveCode
Mark Waddingham
mark at livecode.com
Wed Jun 6 13:40:07 EDT 2018
On 2018-06-06 18:09, Tom Glod via use-livecode wrote:
> what if for example you want to hard code a hash salt into your
> code?.....
> if the code is readable, then so is the salt. I would vote for
> unreadable
> code 100% of the time.
Technically even if the code isn't readable, then the salt will still be
there - all you are doing is making it more difficult for relatively
unmotivated individuals to get at it. Which perhaps doesn't help much,
as the unmotivated are probably not the ones who are going to cause any
problems.
The only way to truly protect secrets is for no-one to see them and to
only transmit and store them in an encrypted way, where unlocking them
is tied to a secret the end-user has - e.g. user account / password
login.
Certainly if there is a server involved in your app somehow, and if you
control that server then you are far better off making the server the
'keeper of the secrets' because then *you* have control - its much
easier to delete a record from a server then it is to force all your
users to reinstall a new version of your app because a secret contained
within it has been compromised.
Warmest Regards,
Mark.
P.S. I realize that sometimes storing secrets in distributed apps is the
'only' way - but always think to see if there is a way to avoid it if
you can.
--
Mark Waddingham ~ mark at livecode.com ~ http://www.livecode.com/
LiveCode: Everyone can create apps
More information about the use-livecode
mailing list