9 Replies Latest reply on Aug 13, 2009 6:22 PM by FlexAppsStore.com

    Need to clarify swf security

    aligned2009 Level 1

      According to this document on adobe.com:




      it mentions that all swf's should not be considered black box applications.


      So if I create a high end application, basically it can be easily reversed engineered, modified and delivered on another site?


      Thanks for the help.

        • 1. Re: Need to clarify swf security
          Gregory Lafrance Level 6

          Its true that there are SWF decompilers out there, and although there are obfuscation methodologies, some or all can be outwitted.


          That's just the way it is, though we all face the same situation.


          Here are some links on the topic you will find useful.






          If this post answered your question or helped, please mark it as such.

          1 person found this helpful
          • 2. Re: Need to clarify swf security
            aligned2009 Level 1

            So when I got feedback from a venture capitalist that Flex based applications aren't a good investment for them because of the risk, what should I have said?


            From a entrepreneur's view, this seems like a major problem. How can I expect a VC to invest in something that can be unwound?


            Is Flex only really for small basic applications because of this security issue? Is silverlight a better option because of this?

            • 3. Re: Need to clarify swf security
              Flex harUI Adobe Employee

              I'd ask them what technology they'd use instead.  There are decompilers for every binary served over the web.  If obscurators really become necessary, someone or Adobe will come up with one.


              Alex Harui

              Flex SDK Developer

              Adobe Systems Inc.

              Blog: http://blogs.adobe.com/aharui

              • 4. Re: Need to clarify swf security
                aligned2009 Level 1

                That's what I said, and they didn't have an answer. However, there aren't any major applications on the web. Is this security a factor? Or is the lack of major applications due purely to the fact that Flex/Flash is a new technology?


                We have an app that is developed, not finalized. I'd hate to be the 'first example' of a pirated swf. Is there anyone in Adobe that a customer could hire to discuss these issues before rollout?



                • 5. Re: Need to clarify swf security
                  Flex harUI Adobe Employee

                  I'm not sure what you mean by "major applications".  The Adobe Showcase has plenty of useful applications and the various media outlets are starting to use Flex to make content available to viewers.  Buzzword lets you create and edit documents on the web.  I used it to create and edit articles for Flex Authority magazine.


                  I think most folks think the "key" to security for Flex apps (and any web technology) is not in the bits of the app, but in the data it manages.  So what if someone steals my SWF.  It needs to connect to my server to do anything useful, and if my server security is set up properly, only SWFs served from my approved servers will be allowed to make requests.


                  Alex Harui

                  Flex SDK Developer

                  Adobe Systems Inc.

                  Blog: http://blogs.adobe.com/aharui

                  • 6. Re: Need to clarify swf security
                    aligned2009 Level 1

                    Sorry, I should have clarified.


                    In the silicon development industry, an application costs about anywhere from $50-750k. Flex I think could performance wise support tools that are in the $50-$100k range. The higher end tools are too computationally complex. While the data that the tool works with is important, the tool itself is also important. The great part about Flex is that it can add collaboration to such an application, which is why it's an alluring technology.


                    So if a server was referenced in the code/build, wouldn't it be possible to change the url reference if the swf code is reversible? Maybe I'm missing something. Your comment sounds like it's bullet proof, but it sounds like up to this point nothing is bullet proof. If that server requirement was bullet proof, I'd feel a lot better than I do right now about security.


                    It sounds like if we have proprietary algorithms that need to be protected, they just shouldn't be in Flex - they should be on the server, and Flex should only display results of the algorithms. Is this a good read of Flex, or am I selling Flex short?


                    If the server connection requirement is bullet proof, then that would render the app useless without the server - we could even deactivate it if the server wasn't found.


                    So my questions are:

                    0. Is that server connection value bulletproof?

                    1. Are keeping proprietary algorithms out of Flex recommended due to the nature of web based applications?



                    • 7. Re: Need to clarify swf security
                      Flex harUI Adobe Employee

                      In my view, security and protection is never perfect.  The goal is to reduce your chances or the cost of a bad thing happening to the point where it is worthwhile doing.  I don't know how your industry distributes applications, but if you distribute on the web, and make enough money doing so, someone will take your download and re-distribute it under their own name.  That's why Adobe and Microsoft desktop apps use activation technology.  You gotta talk to one of our servers to prove you have a valid copy.  But somewhere someone is trying to alter our apps to get around the activation technology and will post valid activation codes that you can use.


                      So, once someone can get their hands on your app, any proprietary algorithms in that app are available for decompilation no matter whether you use Java, C++ or Flex.  That's not the same as getting the source code, but a motivated person can sniff through the decompilation and figure it out.  Obfuscators make it harder, but not impossible.


                      Requiring server connections make it even harder to re-distribute the app, enough so that it makes it worthwhile for most folks to ship very useful and very powerful applications in Flex.  Some folks keep proprietary algorithms on the server not just for security, but because that algorithm runs faster there.  This is basically a client-server application technology and standard load-distribution and performance rules for those topologies apply.


                      There's many hours and dollars worth of investment in algorithms shipped in Flex apps.  Those folks figure the trade-off of performance on the client plus the chances that it is worth someone's time to reverse engineer the decompiled swf is worth it.  You'll have to decide on the trade-offs for your application, but often, when keeping application experience and performance in mind, the proprietary work might be better done on a server anyway.


                      Someone will eventually write an obfuscator for Flex swfs, but short of that, if you use lots of private variables in your algorithm, fewer readable symbols end up in the SWF.



                      Alex Harui

                      Flex SDK Developer

                      Adobe Systems Inc.

                      Blog: http://blogs.adobe.com/aharui

                      • 8. Re: Need to clarify swf security
                        aligned2009 Level 1

                        Thanks for the great information- I'm going to have to dig deeper into the security articles to really respond in an informed manner.

                        • 9. Re: Need to clarify swf security
                          FlexAppsStore.com Level 1



                          Just as a point of reference, we have developed numerous enterprise level apps in Flex integrating to back-end systems like SAP and Oracle. Much of our IP exists within the Flex logic. Typically, with VC firms, risk mitigation is assessed in terms of legal opportunity. I would agree with others that nothing placed on the web is safe for being copied. Perhaps the question is "What's the difference between someone decompiling our swf versus someone paying a group of contract developers in India $5/hour to recreate the app from scratch."


                          We have faced this once in our history. It took two cease and desist letters and the issue was resolved.


                          Kind Regards,


                          Ivan Alexander