3 Replies Latest reply on Sep 20, 2008 7:50 PM by Dr. Fred Mbogo

    Additional AIR Security

      One thing I would really like to see changed when it comes to AIR applications is the way the SWF and descriptor XML files are stored in the file system, they are accessible to anyone. The contents of the SWF file can be ripped out by anyone with a decompiler, and the descriptor data can be changed at anytime.

      Want all of the source code for Google Analytics Suite, Adobe Media Player, AOL's top100videos, Pownce Desktop, eBay Desktop, Finetune Desktop, or any other AIR application? Just find the SWF file in the application folder and use a popular decompiler... job done. I'm sure the developers of those applications didn't intend to distribute their source code along with the applications.

      Is it not possible to store the SWF file and the descriptor data in the executable file? That would no doubt make a lot of developers (including myself) more comfortable about releasing AIR applications, and it would certainly make the source code more secure... unless of course Adobe intends to make the AIR Runtime open-source.
        • 1. Re: Additional AIR Security
          Dr. Fred Mbogo Level 1
          This has been discussed many times before.

          It's not a secret that decompilation is easy, but it's really not as big a problem as you think it is. If someone steals your code and puts it in their app, you can turn the same trick right back around on them: decompile their app and find your stolen code inside. If you do find it, this gives you an airtight copyright case. Since everyone should realize this, no one's going to risk getting caught.

          Someone may look at your code to steal ideas, which is a good thing, because turnabout works here, too. View Source is why the web took off so fast: one person would figure out a neat trick, and others would copy it. The person whose ideas were "stolen" can go out and steal others' ideas. The rising tide lifts all boats.

          Ideas that you can't afford to have stolen may be protected by patents.

          As for putting the SWF inside the executable, how long do you suppose it will take for the Flash decompiler vendors to figure that trick out? A week, at most?

          Obfuscation is doomed. Stop worrying about it and spend your time working on something worth your time.
          • 2. Re: Additional AIR Security
            _SR_ Level 1
            I'm not worrying about it, I'm bringing this topic up again because I think it would make AIR more credible as a desktop application platform, and I think it is something that should have been done from the start. Leaving the core application files floating around for anyone capable of double-clicking on a few folder icons is a bit silly if you ask me.

            We're not talking about the web here either so the "view source" argument is mute. I make a lot of my code freely available for other developers to use but desktop application source code is in a totally different ballpark, not all of us are simply pushing HTML pages through AIR.

            There isn't anything that can be done about SWF files used online but Adobe could at least tighten things up where AIR is concerned. Given the choice, most of us would no doubt choose to lock our doors at night. :-)
            • 3. Re: Additional AIR Security
              Dr. Fred Mbogo Level 1
              I think you're missing a key point: ActionScript cannot be turned into some kind of code that only a machine can read. The nature of the language makes decompilation pretty easy. They can't even safely rename the public symbols in your project, due to eval() and such. No matter what Adobe does, the decompiler makers will find a way to reverse it.

              If you want C++, you know where to find it.