Is there any way to check the integrity of the application just before the application starts up? (to prevent anyone changing the application after it is installed)
Adobe AIR automatically does this when you sign your code and package your aar file. If you touch anything inside it aar file after signing it, you should get an error. See: http://help.adobe.com/en_US/AIR/1.5/air_security/WS5b3ccc516d4fbf351e63e3d11c0f598475-7ffa.html
I don't know if Adobe AIR itself provides any such integrity checker.
A (non-optimal) solution would be to have a database of md5 hashes of all or select important files, and verify it again at start-up. (you could use this for the md5 hashing.)
Related
Since nokia doesn't sign symbian apps any more,is there any alternative to sign app for symbian?
may be some behind the scene hack or bypass?
symbiansigned.com and cer.opda.cn are dead, don't even mind getting developer certificates - just hack your phone, no way to do this otherwise nowadays:
https://shahbazalam781.blogspot.com/2013/04/hack-all-symbian-phones-s60v3-s60v5-s3.html
This works great, just try setting your phone Date & Time to somewhere about 2010-2012 when installing apps until it clicks. After hacking phone you won't need to do this anymore.
In case link dies:
SIMPLEST PROCEDURE: First Download 3 Files
DOWNLOAD-Norton-Symbian-Hack http://gallery.mobile9.com/f/3177996/
DOWNLOAD-Rom-Patcher-Plus-v31 http://gallery.mobile9.com/f/3178010/
DOWNLOAD-Xplore V1.58 http://gallery.mobile9.com/f/3175430/
Install “NortonSymbianHack.sisx”.
Launch it.
Go Options – Anti-Virus – Quarantine list.
Go Options – Restore. Accept prompt.
Exit application. Delete Norton from Application Manager (Symantec Symbian Hack). Also delete “C:\shared\” folder.
Install “RomPatcherPlus_3.1.sisx”.
Launch and apply patches:
Open4all for full access to file system.
Installserver for installing any unsigned applications.
(If “Installserver” has red cross, follow steps 8 to 15.) (If checked,
reboot now your phone.)
Note: Set patches to auto if needed. (Options – Add to auto)
Install X-Plore.
Open it.
Press (Menu – Tools – Configuration).
Check all (Show Hidden Files, etc.).
Open “installservers_pack.zip”.
Choose what Symbian OS you have. (List below)
Copy “installserver.exe” from the folder of your OS to “C:/sys/bin”. (No need to apply patch on RomPatcher.)
Reboot phone. Phone is now hacked.
Officially, you could of course continue using the developer certificates you might have, and if they are expired, the device time might be needed to be adjusted for the installation time.
Then also the self-signing works just as it used to. For any new certificates or signings, unfortunately there are no official help available.
You can use this app to sign Symbian apps.
The signing process is fail-able but the self-signing works perfectly.
Here's the link
Can someone please clarify below behaviours from security point of view:
Please note, application will be distributed outside AppStore.
I built mac application (.app) and I have not signed the same with developerid. If I open the app one some other Mac where Security & Privacy setting is Allow downloads from – Mac App Store and identified developers .
In this scenario, will this app supposed to run? As I understand from the security, it should not. But it is running fine without warning.
If I build dmg file with the app and both dog and app are not signed. How should be the behaviour in this case when I click on dmg?
If I sign dmg file not app. What should happen when I click on dmg file and later app?
Only signing dmg is enough?
The Gatekeeper security policy only applies to "downloaded" files. When some apps (e.g. Safari, Mail, Messages, etc) download a file, they apply a com.apple.quarantine extended attribute to the file, marking it as being in quarantine because it was downloaded from an untrusted source. When you open the file, several quarantine-based security policies are applied, including the Gatekeeper policy.
If the file was never placed in quarantine because it was not "downloaded", the Gatekeeper policy will not be applied. Note that copying files via USB disks, AFP or SMB file sharing, etc do not apply the quarantine attribute (see this Apple.SE question).
If you want to test the quarantine behavior, you can create your own com.apple.quarantine attribute with either of the procedures described here.
If the disk image is quarantined, the quarantine will be applied to its contents and running the app will apply the Gatekeeper policy. If the disk image is not quarantined, Gatekeeper will not activate.
Under older versions of OS X (through 10.11), signing the disk image is irrelevant. If the disk image is quarantined, the app contained in it will be as well, and so the app must be signed to run.
[UPDATE] Starting in macOS Sierra (10.12), signing the disk image is sometimes required in addition to signing the app. The details are complicated, so for simplicity's sake I'll just recommend signing your disk images. But be sure to do the signing under 10.11.5 or later; that's when Apple added the ability to embed a signature in a disk image in a way that won't be lost when it's downloaded.
I was recently given a VB.NET project for fixing some bugs and creating an installer for it. I was told to use Install Shield LE.
All went well with creating the install script but Windows 8 is giving me a smart screen warning when downloading the application from a web site and trying to install it.
I am aware of Windows 8 policy where popular applications get more "trust points" and become popular but the application is targeted for a fairly small audience of people therefore we can not rely on this option. Even more, people without proper knowledge would be repelled by the warning message and that could cause MS to never raise the trust for the application.
My question is, do I have to sign both - the application and the installer with a certificate? If so how do I sign the installer, as there is a signing tab for the project but I can't find one for the installer.
Bonus points if anyone can tell me if acquiring a proper certificate will remove the warning message telling this isn't a commonly downloaded file and might be dangerous from chrome/IE when downloading the application. There are many threads about this, I know, but most of them suggest adding the site to webmaster tools but that hasn't helped and we're still receiving the message
Thanks.
If I have read your post correctly then you are talking about an application as opposed to a website, and for that you would need a code signing certificate. Certificates that sign websites are different so first and foremost decide what it is that you are producing and want to sign.
Having decided that then you need to decide who you will use to supply your certificate. Typical sources would be VeriSign, Thwaite or Globalsign to name but three. All charge different prices but essentially do the same thing.
Once you have the certificate then the installer that you use to build your application signs the code files you select and the actual installer (msi or exe) itself.
That should eliminate the message that you now see warning people about potentially dangerous files that they are about to download.
I cannot stress enough however that you need to be clear about which type of certificate you need BEFORE you go ahead and buy one. I think from your description you are talking about a code signing certificate but do check first.
Following CAB forum regulation you will need to have an Extended Validation code signing in order to bypass the smart screen filter.
Extended Validation code signing will establish immediate trust with the machine, as you go through a more stringent validation process to obtain it! (or at least that's the rationale behind it!)
I think you can get an extended validation code signing either from SYmantec or GLobalsign.
This looks like an extremely silly question even to me, but anyway, I'm curious:
Is there a way to protect an Adobe Air application with hardware key (aka Software Protection Dongle)?
I'm looking into developing a certain application that would require such key as a protection from being pirated (I can't change that fact), and it looks like that using Adobe Flash is the easiest way to write what this particular application should do.
If you are writing purely in Flash then you could use a product like SWF Studio (or Zinc ) which encrypts the flash file and produces and executable file. It needs to be encrypted because in a standard flash executable file the swf data can easily be extracted. Then you can protect this executable file using a Shell wrapper which ties it to a dongle. I did this using SWF Studio and Dinkey Dongles with my flash executable and it worked very well.
Links:
SWF Studio
Dinkey Dongles
AIR applications have no support for hardware dongles and don't even possess decent protection from decompiling. I imagine the dongle can be detected with some helper application called with NativeProcess, but this will require different helper for each OS. Also, without obfuscation all this will be pointless. See Trillix SWF Decompiler for decompilation and SecureSWF for obfuscation.
This may sound very noobish, but I can't seem to get my app to my blackberry.
I was trying to follow the beginning blackberry development book's guide, but maybe I just missed the point somewhere.
For remote download, Is it really as simple as drop the COD and JAD files in the same folder on your server then just navigate to the URL with your device's browser? The book says it should prompt a download screen, but all I get is a page full of cryptic characters.
My app is a simple slideshow. Uses no signed things and is not MDS enabled. Did I forget something?
Any help would be appreciated.
Thanks
The easiest way to do it during development is to use javaloader:
javaloader.exe -u load myapp.cod
Where "myapp.cod" is the single COD file generated by the rapc compiler (and optionally signed if required).
If you do want to install it "OTA" (over the air) from your webserver, make sure you are deploying the JAD file and individual COD files (if it's a large app). Also make sure that your webserver MIME types are set properly for the .jad and .cod file extensions.
You could true bluetooth the COD and JAD files to your blackberry