On 20 Feb 2012, at 13:19, David Arno wrote: >> * can i get a badLoader into the application > Probably. After all, what happens if someone spoofs the apache flex download > site and provides a dodgy version of the SDK? But that's a whole different > issue.
Yeah, though signed RSLs currently protect any app which uses them from being compromised by browser-cached libraries from otherApp based on a dodgy sdk. Question is, can the proposed goodLoader do similar without itself being compromised? I hope so - it sounds promising. Although: I suspect with effort, it is possible for suitably skilled for man-in-the-middle attacker to intercept the loader SWF and replace the byte-code storing the MD5 values their own and still inject badLibrary. Sorry - still thinking up problems rather than solutions.
