8 Replies Latest reply: Mar 21, 2012 11:35 AM by StasA2 RSS

    A security breach?

    StasA2 Community Member

      I have a question.

       

      Will this tool provide an option for disassemble to source code?

      (I hope it will not, otherwise it would create a great security breach for the whole platform from the creators of the platform themselves).

       

      Thanks!

        • 1. Re: A security breach?
          John J Olson Community Member

          StasA2,

          There is nothing in this tool that isn't already possible using a number of existing free and commercial products. These have been available for as long as I can remember.  No one should be hard coding any sensitive data in a SWF. 

          • 2. Re: A security breach?
            StasA2 Community Member

            I don't agree, John

             

            There are tools for obfuscating SWF so it won't be read by any solution available on the market. So you CAN code sensitive data into SWF. And our company does that successfully for many years.

            BUT if Adobe provides a tool for a real disassemble (because they know more than any 3rd party). Then it will be a serious threat to the whole platform and a real big nail to the Flash coffin and to many teams and projects.

             

            So I'm curious if Adobe really does it?

             

            Can an Adobe employee answer on the question?

            Thanks!

            • 3. Re: A security breach?
              davr64 Community Member

              Let me know any applications you have developed, so I know not to trust their security. Thanks.

              • 4. Re: A security breach?
                John J Olson Community Member

                StasA2,

                 

                Its an AIR app (compiled w/ captive runtime), so you can actually pull out the .swf from the install and use SWF Investigator to see all the classes they are using.  They're using SWFDump (part of the SDK) for parts of the app. At the end of the day, you can make it very hard and annoying for a potential hacker,etc but nothing is ever secure in a SWF.  Someone who is determined enough can get the data from any encrypted and ofuscated SWF.   Just to the 7:20 mark -> http://tv.adobe.com/watch/how-to-develop-secure-flash-platform-apps/sensitive-data-within- a-swf/  from Platform Security Strategist Peleus Uhley

                • 5. Re: A security breach?
                  StasA2 Community Member

                  Thank you for explanation, guys.

                  I see everything that you have said. Please, I don't want to argue about what the solutions you use, or if you can offer to something better. The current state of the platform provides a decent state of security (comparable to that of native Mac or Win platforms) for our company and for many other companies I know.

                  Please start a different thread to discuss it if you wish. Thanks again for understanding and let's wait for the answer from creators.

                   

                  Let us not tangle this thread.

                   

                  Please, can Adobe employee answer if they will continue to develop this tool so it will be able to completely disassemble binary into source code? (Making the platform completely unsecure)

                  Thanks.

                  • 6. Re: A security breach?
                    ReshapeMedia

                    I agree with StasA2.  I just has a look at a few SWFs using SWFInvestigator... scary!... to say the least.

                     

                    Its one thing when a 3rd party decompiles -> this is only the top layer of an application they are decompiling... with Adobe -> they have FULL access to the bottom layer of any code compiled into an swf... which makes this tool a HIGH security risk...

                     

                    Can an Adobe employee comment on this please!

                    • 7. Re: A security breach?
                      puhley Community Member

                      The functionality provided by SWF Investigator is currently available using existing Adobe tools and public information. The SWF file format specification and the AVM2 specification are publicly available. The AS2 disassembly and tag viewing functionality was a port of the open-source Flex SDK swfdump utility: http://opensource.adobe.com/svn/opensource/flex/sdk/trunk/bin/. The AS3 disassembly is from the open-source Tamarin code that is the basis for the Flash Player AVM2 engine. From a disassembly point of view, SWF Investigator merely provides a basic GUI for what were previously command-line tools.

                       

                      Obfuscators are good for keeping the honest people honest. However, if the information within the SWF is valuable enough, then someone will take the time to take it apart using any number of methods (decompiling, monitoring network traffic, monitoring process memory using Cheat Engine, etc.). As an example, this is an anti-virus company bypassing DoSWF obfuscation in order to analyze a malicious SWF: https://blog.avast.com/2011/09/09/breaking-through-flash-obfuscation/ At the end of the day, your SWF is running on the attacker's machine and they have full control of that environment. Each organization must make their own judgment call regarding the actual value of the information they place inside the SWF to determine whether an obfuscator is necessary and/or sufficient protection. In most cases, it is best to architect the application such that storing a secret inside of the SWF is unnecessary. An obfuscator can be useful in some situations but you should always be prepared for someone bypassing it.

                       

                      Aside from Adobe tools, there are a wide variety of disassemblers, decompilers and LSO viewers available on the Internet. The OWASP Flash Security Project lists many of these tools: https://www.owasp.org/index.php/Category:OWASP_Flash_Security_Project  SWF Investigator does not provide any functionality that isn't already available in other free tools. There are no current plans for turning the SWF Investigator disassembler into a decompiler. I am not sure what is meant by the "bottom layer of any code" so I can't speak to that.

                       

                      I apologize for the delay in my response. Let me know if you have any further questions.

                      • 8. Re: A security breach?
                        StasA2 Community Member

                        Thank you very much for the Answer (I guess you're Adobe employee?)

                         

                        Even after that I can assure you there are ways of protecting SWF code on level similar to Mac or Windows native code protection. A very high level. For obvious reasons I won't post here any links or details. The one thing that bothered me that Adobe with their inside knowledge and experience would make a tool for a decompilation, rendering the Flash platform completely useless. You said that you won't do it now I can sleep well.

                         

                        Thank you!