-
|
I have sparkle working but in order for it to work both my appcast and app zip file in aws s3 need to be publicly accessible (readable). From what I hear its trivial to get a value from the info.plist for anyone who has a copy of the application. Isn't that a security risk? Is there no way to keep the files in my s3 bucket private so that anyone can't come along and get access to sufeedurl in my info.plist and then grab my application right from my s3 bucket? |
Beta Was this translation helpful? Give feedback.
Replies: 3 comments 1 reply
-
|
Why is that a security risk? If your application makes a request to download a file you can’t just hide that request. You can hide it from your info.plist but this is not a real sense of security because users can still sniff the request if they want. The way for it to be secure is it shouldn’t matter if anyone can retrieve your feed URL or app download URL and there shouldn’t be anything sensitive in there. |
Beta Was this translation helpful? Give feedback.
-
|
Okay that makes sense I guess. If you are updating an open source free program that works just fine I suppose. If you are selling a proprietary application you should be aware that your application is certainly exposed to being pirated but I don't really see any way of getting around that using sparkle or any other framework. |
Beta Was this translation helpful? Give feedback.
-
|
Proprietary software combatting piracy needs to use a licensing system of some sorts where the server can verify if the client's purchased key is valid but not expose what all the valid keys are to the client. It's not so much about preventing your app from being downloaded (in fact often downloads are provided anyway to provide demos with limited functionality or trials). Of course any measures can be potentially be circumvented and it's a manner of how difficult you want to make it to crack. |
Beta Was this translation helpful? Give feedback.
-
|
Right, in my case, the client would have to communicate with AWS without storing my AWS secrets in code or in info.plist or whatever. I have never found a good solution to that. Fortunately the world is not likely to be bending over backwards to pirate my application :-) |
Beta Was this translation helpful? Give feedback.
Why is that a security risk? If your application makes a request to download a file you can’t just hide that request. You can hide it from your info.plist but this is not a real sense of security because users can still sniff the request if they want.
The way for it to be secure is it shouldn’t matter if anyone can retrieve your feed URL or app download URL and there shouldn’t be anything sensitive in there.