2 Replies Latest reply on May 2, 2009 10:56 PM by jbenson@oper8

    Using a CAPTCHA for spam prevention in AIR/Flex app?

    rpeters1983

      We're developing a widget for a client using AIR and Flex. The client is hounding us to make use of a CAPTCHA script to prevent spam or bot signup accounts through this desktop widget. I'm arguing to use an email validation link instead.

       

      My thoughts are that neither will be any better, as since this doesn't run on a web page, the user is validated as a human by downloading/installing the AIR widget in the first place. Spamming isn't the same on a desktop widget as it is on a public web page. At least email activation captures valid email addresses.

       

      Am I right to assume this? The client seems to think that spamming is as easy on this desktop AIR widget as it is on a web form. Your thoughts please. Thanks!

       

      Ryan

        • 2. Re: Using a CAPTCHA for spam prevention in AIR/Flex app?
          jbenson@oper8 Level 2

          The client seems to think that spamming is as easy on this desktop AIR widget as it is on a web form.

           

          Your client is off a bit.  It's possible that it's even easier in the AIR application than it is on a web form.  Reasoning:  AIR applications do not protect their source.  Depending on how you built your application a malicious user can alter the application directly before running it.  At least you're using Flex (which can be pretty protected), on the js side we're hosed without obfuscation and decent obfuscation in JS requires eval which is not allowed by the AIR runtime.   (All we really have is minor obfuscation and removal of white space, which is no protection at all.)

           

          I'd consider a captcha a good idea personally if the client wants it.  You could always detect how often the form in question is being submitted by the user and only ask for the captcha if it's within some arbitrary timeframe.

           

          Edit:  I just looked at the Flex captcha posted in the above reply and I'm not sure that style implementation is a good bet.  If your application is submitting to a webservice then it's presence is pretty easily discoverable regardless what style AIR application you are implementing (URLRequest or other request will easily show up when monitoring HTTP traffic.)  If your application / service is popular and you are worried about spam, request a captcha image from the server itself and validate against it.  That will ensure that the server is secure and what your application does will matter little.

           

          (just my 2cents)