Ask YC: API in an Ajax Adobe AIR app?

[ca98am79]

I'm pretty new to developing AIR apps, so maybe this is a dumb question, but I can't seem to find any answers from google. Any help you can give me is greatly appreciated.

I'm building an AIR app with Ajax using an api that is identical to flickr's Api, with a shared secret key. The problem is that the air installation package contains all the source and I don't want to give away my shared secret. Is there any way to do this? Can I hide some source, or somehow include this shared secret within the app without giving it away?

Thanks for your help.

[bprater]

AIR has an encrypted local store you can hide secret information in.

[ca98am79]

thanks - i know about this, but can you store information in it pre-installation?

[jwilliams]

> The problem is that the air installation package contains all the source and I don't want to give away my shared secret. Is there any way to do this?

You've got to give the secret out in some fashion or another - otherwise the application won't be able to decrypt the picture or whatever is it.. Even if you obfuscate it, it'll still be somewhere (in memory or whatever).

Maybe this requires a rethink of your security model? What are you trying to secure?

[arpit]

Install the app and then the first thing the app does at first run is make an api call to get the key and store it into the encrypted store. Pass the md5 hash of the swf as part of the call to get the key to make sure its your own swf thats making a call to the server.

[perezd]

you could have your application do some sort of authenticated request for it on a server maybe? Or better yet, proxy all of your api requests through your server?

I don't know, seems like a lot of runaround to me.