A note on OpenClip
Using this, an app can read any saved authentication information in any other apps — for example, an app could steal your Flickr API key from any other apps that you’ve trusted with access to your Flickr account. Or an arbitrary app could read saved passwords from a password-manager app.
I don’t think it would be possible for another app to steal your app’s access to Flickr. Your secret key would be hardcoded in your app and short of some magic crawling through the binary, noone could send a message as you, even if they had your api key (easy to get for an app as it’s clear text in your POST/GET) and they pulled the user auth_token out of your app’s data directory. (Hopefully Richard will correct me if I’m wrong about this).
As for a password manager app, God help you if your password manager is storing stuff in plain text. OnePasswd sure doesn’t. And if the iPhone has Keychain, noone with a brain should. In fact, if the iPhone has Keychain, hopefully your app accessing Flickr put the user auth_token in there.
Richard Crowley: man strings
David Hall: I knew there had to be a way to do that
Richard Crowley: however
Richard Crowley: run strings on the flickr uploadr’s binary
Richard Crowley: and you’ll find no api secret
Richard Crowley: Richard 1, strings 0
Richard Crowley: char secret[16]; secret[0] = ‘7’; secret[1] = ‘a’; …..
Richard Crowley: strings works by dumping the .text segment from elf binaries
Richard Crowley: so doing the character-by-character thing effectively hides it from anything that isn’t actually executing your code
Richard Crowley: you could certainly still get uploadr’s secret via gdb or some other debugger
David Hall: alright, well, that still is nice to know you can make it annoying for people to get it
Richard Crowley: yessir
