9 Replies Latest reply on Jan 4, 2008 7:38 AM by Varangian

    Flash / Flex security

    Varangian
      Hello,

      probably this sounds really silly... however wanted to ask just how secure is Flex/Flash? Since it's on the client, a user can easily decompile a .swf and modify any variables and pass them to the server.. you know like client script to server.

      also is there something that can be done to invalidate the application or the .swf once a third party client modifies any variables?

      I wanted a 100% confirm.

      Thanks!
        • 1. Re: Flash / Flex security
          peterent Level 2
          If your SWF is served from domain yourdomain.com and is accessing data from yourdomain.com, then if anyone tries to launch your SWF from some other domain (say they captured your SWF, decompiled it, mucked with it, etc), that altered SWF will not be able to get the data from yourdomain.com - it will get a security error. The domains much match unless you foolishly open your domain with a crossdomain.xml policy file.

          I believe that the Flash Player security is better than anything else out there. We put a huge amount of effort into making the player secure. Sometimes it is inconvenient, but that is price you have to pay because people do bad things.
          • 2. Flash / Flex security
            Varangian Level 1
            Hello peterent,

            thanks for your reply.

            1) The domains much match unless you foolishly open your domain with a crossdomain.xml policy file. - I think I didn't quite get this.

            2) how about injecting into variables... from the yourdomain.com into the .swf is that possible? exactly like how javascript is usually hacked from the client. "ajax" website usually have a security loophole if not tackled properly in situation like this, I don't know if .swf has the same issues.

            3) Is there anything I have to do to make this security error pop or is it automatically?

            another problem I found - http://www.quirksmode.org/js/flash_call.html

            Here if someone installs some kind of program it can access functions or variables... :S using javascript

            Thanks again!
            • 3. Re: Flash / Flex security
              peterent Level 2
              It wouldn't be possible to hijack the SWF bytecode and alter it on the fly - it is too complex for that (and if someone can do that with an AI of some sort, well, no one is safe). They will have to copy the SWF and mess with it, then post it to some domain of their own and then the Flash Player will recognize the different domains.

              Another thing you can do is have a shell SWF which loads your main swf. This is atypical behavior and while it does make a second request to the server (which someone can see with a sniffer) you can use this to your advantage.

              When you load main.swf into shell.swf, you can ask main.swf how many bytesTotal it is. Then you change shell.swf to hold this value: var mainSize:int = 654321. Now shell.swf requests main.swf and compares main.swf's size against mainSize. If shell.swf sees that the values aren't identical, it knows main.swf isn't correct.

              This isn't 100% foolproof, but someone would have to a) know you are doing this and b) hack your main.swf in such a way that the byte size remains the same. Quite a challenge I think.

              Finally, all security measures are automatic. You can override some of them (check the documentation for the Security.allowDomain function and others in the Security class).

              One more thing: suppose someone writes their own shell.swf and uses it to load your main.swf. Unless they have access to your server, they will launch their evilshell.swf from their domain: evildoer.com. That becomes the "home" domain for the Flash Player. Now they load your swf from yourdomain.com. Since evildoer.com is not yourdomain.com, your SWF can request your data, but since the home domain is no longer yourdomain.com, there is a security violation. The home domain for the Flash Player must be yourdomain.com in order to read data from yourdomain.com.

              Anyone loading your swf into their swf also cannot access data and functions (see allowDomain) so your information is still protected.
              • 4. Re: Flash / Flex security
                Varangian Level 1
                I think I got it clear thanks again.

                another problem I found - http://www.quirksmode.org/js/flash_call.html

                Here if someone installs some kind of program it can access functions or variables... :S using javascript

                is this true?
                • 5. Re: Flash / Flex security
                  peterent Level 2
                  To call ActionScript functions from JavaScript requires your program to register itself with the Flash ExternalInterface API. If you don't do it, then no ActionScript functions can be invoked.

                  If search the web for "swf obsfucation" you'll find other people with similar questions and some other solutions supplied by 3rd parties.
                  • 6. Re: Flash / Flex security
                    Varangian Level 1
                    thank you peterent,

                    I really appreciated....
                    • 7. Re: Flash / Flex security
                      Varangian Level 1
                      I can see out that there are third party applications that can decrypt your actionScript.
                      • 8. Re: Flash / Flex security
                        peterent Level 2
                        That's where the 3rd party obsfucation can be helpful. The decryption would get yield gibberish. You'll find that hackers will go to enormous lengths - not only with SWFs but AJAX, JavaScript, Java applets, etc.

                        If they do decrypt the ActionScript, unless the code itself is sensitive (and passwords and usernames are a no-no anyway), they will have to edit it and then compile it, and place it onto some domain for someone to pick up in lieu of your SWF.

                        Don't forget that you can use HTTPS as well. If you load your SWF from an HTTPS site, then you load your data using HTTPS as well. Just an extra measure.
                        • 9. Re: Flash / Flex security
                          Varangian Level 1
                          yes Flex applications usually rely on data from a server anyway... but sometimes certain logic can't be done on the server and even share the load with client can be useful.. that's why I was tempted to ask such question.

                          Basic web development tell us that the client can be hacked easily and so you have to check everything back on the server. Seems with SWF is something different though that's what I understood.