• Open Menu Close Menu
  • Apple
  • Shopping Bag
  • Apple
  • Mac
  • iPad
  • iPhone
  • Watch
  • TV
  • Music
  • Support
  • Search apple.com
  • Shopping Bag

Lists

Open Menu Close Menu
  • Terms and Conditions
  • Lists hosted on this site
  • Email the Postmaster
  • Tips for posting to public mailing lists
Re: Run-Only script in OSX 10.2.6
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Run-Only script in OSX 10.2.6

  • Subject: Re: Run-Only script in OSX 10.2.6
  • From: julifos <email@hidden>
  • Date: Fri, 16 May 2003 20:32:40 +0200
> At 11:33 AM -0400 5/16/03, Stephen Swift wrote:
>> At 5/13/03 3:46 PM, Rob Jorgensen (email@hidden) Wrote:
>>
>>> I haven't experienced the problem with run-only scripts, but...
>>>
>>> I have a one-line script that, in a matter of seconds, can extract
>>> the plain text stored in a run-only script.
>>
>> What do you mean? If I write the code
>>
>> thedlg to display dialog "a dialog" default answer ""
>> Set thetxt to text returned of thedlg
>>
>> And save it as a run-only script, what can you see? The code? The text
>> stored in the variables? The items I would see in the event log? I thought
>> run-only scripts were secure.
>
> Ok, I saved your exact code as a run-only app and then ran it. My spy
> script, which took only a second or two to execute, reveals:
>
> - Some raw code, such as "aevtoappnull" and "sysodlogaskr" and other junk.
> - The text returned from the dialog.
> - The variable name: thedlg
>
> So if someone has a line in a script such as:
>
> set licenseCode to "my_secret_serial_number"
>
> The serial number are belong to us.
>
> There are other ways to extract the same info but I don't care to
> offer a tutorial on the topic. :-)
>
> Rob Jorgensen
> Ohio, USA

Also, if you run the script and enter "KARAKULO", you will also see the
string "KARAKULO" stored in the scpt.

There are only two ways to keep safe a password in AppleScript:
-Apply an inteligent algorithm to create the password. Do not use variable
names such as "pwd" or "myTopSecretInfo", but "_" or "O". Use (ascii number
97) instead a plain string "a". And so on...
-Reset ALLWAYS any top-secret variable to a empty value before exiting the
script.

Eg:
set _ to (ascii character 97)
--> do whatever with your password "a"
set _ to missing value

Also, remember that a run-only script doesn't ENCRYPT the code, but
optimizes it for run-only purposes; and after a run, some info may be
hardcoded in the scpt resource. Eg, if you COMPILE:

tell app "Finder" to ...

If you examine your scpt resource, you will see the entire path to your
"Finder.app".

If you run your prompt-for-password code, such variable will be stored
there, too. A scpt is a granary!

JJ
_______________________________________________
applescript-users mailing list | email@hidden
Help/Unsubscribe/Archives: http://www.lists.apple.com/mailman/listinfo/applescript-users
Do not post admin requests to the list. They will be ignored.
  • Prev by Date: Re: Text preview
  • Next by Date: Re: Lists and Variables
  • Previous by thread: Re: Run-Only script in OSX 10.2.6
  • Next by thread: Re: Run-Only script in OSX 10.2.6
  • Index(es):
    • Date
    • Thread