Skip navigation
Currently Being Moderated

A security breach?

Mar 6, 2012 1:20 PM

I have a question.

 

Will this tool provide an option for disassemble to source code?

(I hope it will not, otherwise it would create a great security breach for the whole platform from the creators of the platform themselves).

 

Thanks!

 
Replies
  • Currently Being Moderated
    Mar 6, 2012 2:55 PM   in reply to StasA2

    StasA2,

    There is nothing in this tool that isn't already possible using a number of existing free and commercial products. These have been available for as long as I can remember.  No one should be hard coding any sensitive data in a SWF. 

     
    |
    Mark as:
  • Currently Being Moderated
    Mar 6, 2012 3:39 PM   in reply to StasA2

    Let me know any applications you have developed, so I know not to trust their security. Thanks.

     
    |
    Mark as:
  • Currently Being Moderated
    Mar 6, 2012 3:42 PM   in reply to StasA2

    StasA2,

     

    Its an AIR app (compiled w/ captive runtime), so you can actually pull out the .swf from the install and use SWF Investigator to see all the classes they are using.  They're using SWFDump (part of the SDK) for parts of the app. At the end of the day, you can make it very hard and annoying for a potential hacker,etc but nothing is ever secure in a SWF.  Someone who is determined enough can get the data from any encrypted and ofuscated SWF.   Just to the 7:20 mark -> http://tv.adobe.com/watch/how-to-develop-secure-flash-platform-apps/se nsitive-data-within-a-swf/  from Platform Security Strategist Peleus Uhley

     
    |
    Mark as:
  • Currently Being Moderated
    Mar 19, 2012 2:06 PM   in reply to StasA2

    I agree with StasA2.  I just has a look at a few SWFs using SWFInvestigator... scary!... to say the least.

     

    Its one thing when a 3rd party decompiles -> this is only the top layer of an application they are decompiling... with Adobe -> they have FULL access to the bottom layer of any code compiled into an swf... which makes this tool a HIGH security risk...

     

    Can an Adobe employee comment on this please!

     
    |
    Mark as:
  • Currently Being Moderated
    Mar 20, 2012 9:31 PM   in reply to ReshapeMedia

    The functionality provided by SWF Investigator is currently available using existing Adobe tools and public information. The SWF file format specification and the AVM2 specification are publicly available. The AS2 disassembly and tag viewing functionality was a port of the open-source Flex SDK swfdump utility: http://opensource.adobe.com/svn/opensource/flex/sdk/trunk/bin/. The AS3 disassembly is from the open-source Tamarin code that is the basis for the Flash Player AVM2 engine. From a disassembly point of view, SWF Investigator merely provides a basic GUI for what were previously command-line tools.

     

    Obfuscators are good for keeping the honest people honest. However, if the information within the SWF is valuable enough, then someone will take the time to take it apart using any number of methods (decompiling, monitoring network traffic, monitoring process memory using Cheat Engine, etc.). As an example, this is an anti-virus company bypassing DoSWF obfuscation in order to analyze a malicious SWF: https://blog.avast.com/2011/09/09/breaking-through-flash-obfuscation/ At the end of the day, your SWF is running on the attacker's machine and they have full control of that environment. Each organization must make their own judgment call regarding the actual value of the information they place inside the SWF to determine whether an obfuscator is necessary and/or sufficient protection. In most cases, it is best to architect the application such that storing a secret inside of the SWF is unnecessary. An obfuscator can be useful in some situations but you should always be prepared for someone bypassing it.

     

    Aside from Adobe tools, there are a wide variety of disassemblers, decompilers and LSO viewers available on the Internet. The OWASP Flash Security Project lists many of these tools: https://www.owasp.org/index.php/Category:OWASP_Flash_Security_Project  SWF Investigator does not provide any functionality that isn't already available in other free tools. There are no current plans for turning the SWF Investigator disassembler into a decompiler. I am not sure what is meant by the "bottom layer of any code" so I can't speak to that.

     

    I apologize for the delay in my response. Let me know if you have any further questions.

     
    |
    Mark as:

More Like This

  • Retrieving data ...

Bookmarked By (0)

Answers + Points = Status

  • 10 points awarded for Correct Answers
  • 5 points awarded for Helpful Answers
  • 10,000+ points
  • 1,001-10,000 points
  • 501-1,000 points
  • 5-500 points