23 Replies Latest reply on Jul 9, 2008 2:15 PM by Dr. Fred Mbogo

    .air is just a zip file with clear source inside

    TheDude7563
      Hey,

      I just noticed something very strange. I have a packaged, signed "myapp.air" file on my web server. When I use my browser, to open a direct link to the " http://mysite.com/myapp.air" file, it dowloads a "myapp.air.zip", an then you can extract real, clear text, source files!!! I tried this on a few XP/Vista/OS X machines, and every one of them was able to extract app sources!!

      Now, i can't help to ask, WT*?
        • 1. Re: .air is just a zip file with clear source??
          TheDude7563 Level 1
          Well, so I just downloade a bunch of air apps, including eBay and AOL ones and I was able do get to the source of each and every one of them.

          So as for now every AIR app is open source...
          • 2. Re: .air is just a zip file with clear source inside
            ch4tLock
            it is freaky.. thanx for sharing..
            • 3. Re: .air is just a zip file with clear source inside
              allanjard Level 1
              Yikes! That is quite worrying. Proprietary APIs, passwords etc could all be exposed here with little to no reverse engineering.

              Is this a design decision from Adobe, or something was missed?
              • 4. .air is just a zip file with clear source inside
                kgeiwitz
                If your using FlexBuilder to make your air file, uncheck the "Enable view source" checkbox on the Export Release Build dialog.

                I just downloaded the XdriveDestopLite.air file (AOL) and looked in it . . . you don't get any source code . . . you can see the swf files and other assets to make the application run, but NO source code.
                • 5. Re: .air is just a zip file with clear source inside
                  TheDude7563 Level 1
                  And what about people using HTML+AJAX ? Then you can access all source files.

                  And I don't know how about Flex, but Flash .swf files can be easily converted back to .fla
                  • 6. .air is just a zip file with clear source inside
                    kgeiwitz Level 1
                    anything can be reverse engineered

                    JAMOTAM (just a matter of time and money)
                    • 7. Re: .air is just a zip file with clear source inside
                      TheDude7563 Level 1
                      kgeiwitz,
                      so what you're saying is, thats it's not important that getting source from an AIR app is as easy as right click + view source?
                      • 8. Re: .air is just a zip file with clear source inside
                        ch4tLock Level 1
                        :) kgeiwitz.. agree with you but it shouldn't easy as right click + view source as thedude says.. It should be much more harder to crack in.. if it is not important than why adobe encrypts swf files, (also below vers. 9 can be decrypted in secs) also they can place a view source function in flash player menu.. :P
                        • 9. Re: .air is just a zip file with clear source inside
                          kgeiwitz Level 1
                          The air file is just a zip to save on bandwidth when downloading. All the files in the air file get expanded into the installation directory, so I don't think it is an issue. You should take that into account when you code your application.
                          • 10. Re: .air is just a zip file with clear source inside
                            TheDude7563 Level 1
                            and it says that where on adobe website?
                            • 11. Re: .air is just a zip file with clear source inside
                              normyee
                              quote:

                              Originally posted by: kgeiwitz
                              The air file is just a zip to save on bandwidth when downloading. All the files in the air file get expanded into the installation directory, so I don't think it is an issue. You should take that into account when you code your application.


                              agreed. it's not like you can't go into say c:\program files\[air app name] and see the files that the air app uses. same deal with java .jar files, which are essentially zip'd up files

                              • 12. Re: .air is just a zip file with clear source inside
                                allanjard Level 1
                                Disagreed from my perspective. If I'm developing an AIR application which people pay to buy a licence for, then I don't want them to be able to unzip the application and then do whatever the heck they want with it, with next to no effort. You can't exactly do this with Adobe Photoshop...

                                Zipping the files makes simple sense of course, and many other formats do this (Collada, OpenOffice etc), but I had expected the AIR compiler to implement obfuscation and encryption.
                                • 13. Re: .air is just a zip file with clear source inside
                                  Dr. Fred Mbogo Level 1
                                  quote:

                                  Originally posted by: allanjard
                                  I had expected the AIR compiler to implement obfuscation and encryption.


                                  Obfuscation: it does, if you turn off "View Source". A "decompiled" SWF file has only as many publically-visible symbols in it as is necessary for the program to run. With a dynamic language like ActionScript, you can't obfuscate all symbols, because at compile time, there's a limit on how much you can infer about visibility of symbols.

                                  Encryption: doomed to failure in this application. The AIR runtime must be able to read the program, which means it has to be able to remove any such encryption. If the decrypter is on the user's computer, someone will figure out how to decrypt any AIR program. DVD Video, HD-DVD, and BluRay are all encrypted, and all have been cracked, for this very reason. Same with most DRM and console game systems. The only way to prevent decryption is to keep the key secret, and you can't do that when you give out the key to all your users.

                                  This is a tempest in a teapot. The biggest threat to you -- as a software writer -- not getting paid is casual piracy, and that doesn't depend on the visibility of source code.

                                  If you have to have "secret sauce" that absolutely must be protected, put it on a public server. AIR ships with a very capable set of networking APIs.
                                  • 14. Re: .air is just a zip file with clear source inside
                                    TheDude7563 Level 1
                                    I wonder how far would Internet apps get, if all server-side scripts (PHP,ASP etc.) all had clear sources...
                                    • 15. Re: .air is just a zip file with clear source inside
                                      allanjard Level 1
                                      Or indeed desktop applications, given that AIR apps straddle the boundary between the two.

                                      quote:

                                      Originally posted by: jkhgdkhgslkj
                                      Obfuscation: it does, if you turn off "View Source". A "decompiled" SWF file has only as many publically-visible symbols in it as is necessary for the program to run.


                                      That's fine for SWFs. But not for Javascript / HTML applications.
                                      • 16. Re: .air is just a zip file with clear source inside
                                        john isaacks Level 1
                                        I've known about this, you can do the same thing with .swc and most .exe installers.
                                        • 17. .air is just a zip file with clear source inside
                                          Dr. Fred Mbogo Level 1
                                          quote:

                                          Originally posted by: TheDude7563
                                          I wonder how far would Internet apps get, if all server-side scripts (PHP,ASP etc.) all had clear sources...

                                          You're making one of my points for me: if you want to hide some of your code, put it on the server side. It can be PHP, ASP, or, using something like Aptana, more JavaScript.

                                          As for the client side, much of the success of the WWW is due to View Source. How many times have you learned a technique by just looking at how someone else did it, rather than read about it in tutorial form somewhere? No doubt the application you built using that technique did something different with it, so the original creator of it didn't "lose" anything by giving away his secret.

                                          Similarly, look at how many current popular web applications have substantial client-side pieces -- Gmail, for example -- with relatively boring server-side pieces. Why has no one cloned Gmail?

                                          Hiding your source doesn't guarantee success. Giving your source away doesn't guarantee failure. If your application is interesting and offers a good value proposition, you shouldn't expect any more piracy than is normal for that type of application.
                                          • 18. Re: .air is just a zip file with clear source inside
                                            Robert Christensen Level 2
                                            Hi All,

                                            Yes, as others have mentioned on this thread, an .air file is simply a .zip file and this is a well known fact. That's by design and is mentioned in our documentation.

                                            If you would like to have us provide better support for source code protection such as automatic obfuscation, please let us know by sending a feature request to the Adobe AIR team at http://www.adobe.com/go/wish/ -- we'd like to hear from you about this and other feature requests you might have.

                                            Thank you,
                                            - Rob

                                            Adobe AIR Team
                                            • 19. Re: .air is just a zip file with clear source inside
                                              gladobe
                                              I agree with the dude and others. I just submitted the following feature request:

                                              Currently, there is very little protection of AIR application source code. Unlike exe files, swf files can be easily reverse engineered.

                                              This was less of a problem for Flex apps that were accessed over the network anyway (so proprietary logic could be contained on the server side).

                                              But now that we have AIR apps that are 'sometimes on', some logic that was previously on the server side, may now shift to the client side. Therefore, it is important to give consideration to improved source code protection.
                                              • 20. Re: .air is just a zip file with clear source inside
                                                Dr. Fred Mbogo Level 1
                                                It's great and all to say "Something Should Be Done", but how do you suppose they will do this?

                                                As I said above, you can't obfuscate a dynamic language like ActionScript to anything near the degree of difference between, say, C++ and x86 machine language. It's in the nature of a dynamic language that the source code must remain available. Just the way it is.

                                                I've also knocked down the encryption argument.

                                                So, what exactly do you want Adobe to do?

                                                I'm also curious to know why you believe you need this. What exactly do you suppose this "protection" will do for you? Seriously. Let's discuss it.
                                                • 21. Re: .air is just a zip file with clear source inside
                                                  anemitoff12
                                                  I brought up security concerns in a previous thread months ago: ( http://www.adobe.com/cfusion/webforums/forum/messageview.cfm?catid=697&threadid=1343604)

                                                  I will be using obfuscation to make reverse engineering my code more difficult (but not impossible). One thing Adobe could do is include a javascript obfuscation option into its adl compiler.

                                                  But I am still concerned about code injection into my deployed app. Another thing that Adobe could do would be to enhance the signing feature to create signatures for the various source code resources which would be automatically verified upon application startup.

                                                  Finally, another possible solution might be to deploy the application in a packaged format (instead of extracting the resources directly to the filesystem) and the runtime could extract the resources when needed from the package in a JIT (just-in-time) manner.

                                                  I believe, each of these proposed security aids (I won't call them solutions) could actually be implemented without Adobe's assistance in the AIR application itself (although they would not be as efficient as when implemented in a native application). But Adobe has the resources and incentive (I would assume) to do a better job. And if my ideas are not valid, I am sure the smart people at Adobe would be able to come up with a few of their own which are.
                                                  • 22. Re: .air is just a zip file with clear source inside
                                                    gladobe Level 1
                                                    jkhgdkhgslkj, as user anemitoff12 has stated, I'm sure the smart folks at adobe could come up with some mechanism to improve source code protection.

                                                    To answer your other question as to 'why'. Well, simply put, the more difficult you make it to obtain the source code, the more protection you have.

                                                    So, no one is arguing that you can completely eliminate the possibility that someone with enough time/effort could decompile any source code. But by improving the protection, you would increase the complexity of reverse engineering, thereby reducing the likelihood that code would be compromised.

                                                    What I personally am worried about is not whether or not a hacker can use the program for free (my particular program would require a server-side authentication for data updates and the content would only be interesting to the owner of the authentication credentials). Instead, I am worried about the accessibility of the source code and the potential that a competitor might use the same proprietary algorithms contained within my product. Making the code less accessible would highly dissuade competitors from doing so, and make such a process very time consuming and/or costly.

                                                    Let me pose a question back to you -- if such things weren't important, then why would large companies such as Adobe and Microsoft require serial numbers and keys to use their software? After all, as you mentioned, everything can be hacked.
                                                    • 23. Re: .air is just a zip file with clear source inside
                                                      Dr. Fred Mbogo Level 1
                                                      quote:

                                                      Originally posted by: gladobe
                                                      I'm sure the smart folks at adobe could come up with some mechanism to improve source code protection.
                                                      You know, I wouldn't have asked that question if we weren't all programmers here. No doubt, you have to be smart to work at Adobe, but Adobe doesn't employ all the smart programmers. I'm no dummy and I suspect there are a lot of other smart, non-Adobe people here. You can't prove a negative, of course, but the lack of answer to my question makes me wonder if there is an answer.

                                                      quote:

                                                      the more difficult you make it to obtain the source code, the more protection you have.
                                                      Certainly. But, that argument rests on the assumption that this vague obfuscation concept you're chasing after will actually make things more difficult.

                                                      There are already several commercial tools for disassembling Flash files. There is clearly a market for them. One therefore presumes that there would be enough demand for de-obfuscation in these tools, if that is possible. Thus, these tools will have de-obfuscation, if it is possible. That in turn means that obfuscation is only valuable if the disassembler providers can't figure out the obfuscation. What one human may build, another may tear apart. All the lessons of computer security tell us this, again and again.

                                                      quote:

                                                      by improving the protection, you would increase the complexity of reverse engineering, thereby reducing the likelihood that code would be compromised.
                                                      Just repeating the point, for emphasis: if you can buy a $100 tool to de-obfuscate and disassemble the program back to human-readable code, what have you gained by obfuscating the code?

                                                      quote:

                                                      why would large companies such as Adobe and Microsoft require serial numbers and keys to use their software? After all, as you mentioned, everything can be hacked.
                                                      Registration and activation systems have but one purpose: to deter casual piracy: J Random User buying one copy and installing it on his several computers, and maybe on all his friends' computers, too. The organized, professional pirates will break any system, and they don't need source code to do it.