loader.swf will also be loaded with the app and can be hacked by a m-i-t-m attack.
Sorry for the short message. Sent from my tablet. Le 20 févr. 2012 20:29, "Martin Heidegger" <m...@leichtgewicht.at> a écrit : > On 21/02/2012 04:18, Alex Harui wrote: > >> I don't think we can find a way to know that a file downloaded from one >> mirror is >> the same as one coming from another mirror without downloading it in the >> first place. >> > What is wrong about an approach where the "loader.swf" has MD5 hash of the > files? It > has to load and check the loaded files before initializing them. The > man-in-the-middle would need to > provide a hacked swf with the same md5 ... hard to archieve. > > yours > Martin. >
