Differences between Commercial and Community versions of LiveCode

Mark Waddingham mark at livecode.com
Wed Jun 6 13:40:07 EDT 2018


On 2018-06-06 18:09, Tom Glod via use-livecode wrote:
> what if for example you want to hard code a hash salt into your 
> code?.....
> if the code is readable, then so is the salt.  I would vote for 
> unreadable
> code 100% of the time.

Technically even if the code isn't readable, then the salt will still be 
there - all you are doing is making it more difficult for relatively 
unmotivated individuals to get at it. Which perhaps doesn't help much, 
as the unmotivated are probably not the ones who are going to cause any 
problems.

The only way to truly protect secrets is for no-one to see them and to 
only transmit and store them in an encrypted way, where unlocking them 
is tied to a secret the end-user has - e.g. user account / password 
login.

Certainly if there is a server involved in your app somehow, and if you 
control that server then you are far better off making the server the 
'keeper of the secrets' because then *you* have control - its much 
easier to delete a record from a server then it is to force all your 
users to reinstall a new version of your app because a secret contained 
within it has been compromised.

Warmest Regards,

Mark.

P.S. I realize that sometimes storing secrets in distributed apps is the 
'only' way - but always think to see if there is a way to avoid it if 
you can.

-- 
Mark Waddingham ~ mark at livecode.com ~ http://www.livecode.com/
LiveCode: Everyone can create apps




More information about the Use-livecode mailing list