3 Replies Latest reply on Aug 17, 2009 11:43 AM by adobe_paul

    Hiding Included Files From End User




      Hey, I've run into a little problem using the flash.filesystem class to load files dynamically.   This is doing everything through Flash CS4.  In order for these files to be loaded in the installed air application, I need to add them to the Include Files section of the Air Settings.  However, I don't want these files to be viewable or accessible to the end user.  Is there anyway to hide these files to the end user upon installation so that they won't have access to them?

        • 1. Re: Hiding Included Files From End User
          adobe_paul Adobe Employee

          Practically speaking, there is no way to hide files on a computer from an end user. It is their computer, after all -- so they can always browse their hard drive and find the files.


          (Unless I'm misunderstanding you and you want to *delete* the files from the hard drive. In that case you can't do that when the app is installed, but the first time it runs you can check if the files exist and delete them.)


          Presumably you don't want the users to access some information in the files. In that case the standard solution is to encrypt the files and decrypt them in your application. This isn't a straightforward task, however. The first challenge is the fact that all AIR apps can be decompiled/reverse engineered pretty easily. For more discussion of AIR app security/data privacy issues, you can see the (heavily annotated) slides from a presentation I gave on that topic at the 360|Flex conference last May:


          http://probertson.com/articles/2009/06/09/adobe-air-data-privacy-and-security-slides-notes -links/


          If indeed you are trying to keep data private from the users of your application, then this would probably be considered a case where you need a DRM solution. Unfortunately DRM solutions are tough, and the only DRM solution that AIR provides is for video (in conjunction with the FMRMS server).

          1 person found this helpful
          • 2. Re: Hiding Included Files From End User
            nedga055 Level 1

            Yeah, I simply wanted to restrict access to the files.  I figured I would need some sort of encryption method to encrypt the files and read them through actionscript, I was simply wondering there was a library already built to do that.


            However, I have found that you can use a ZipLoader, zip up all the files you need to load dynamically and read the zipped file in actionscript.  I've looked at a couple external libraries to do this including fZip, however none of them can read password encrypted zip files. I know you can use byte arrays to read zip files, but would you know of a way to load a password encrypted zip file?  This would help me encrypt the files so that the users wouldn't have access to them.


            The only other method I can think of would be to create my own packaged file format that I could read, however, I'm still not sure if I could read such a file format in actionscript.

            • 3. Re: Hiding Included Files From End User
              adobe_paul Adobe Employee

              For working with .zip files from ActionScript, I've had better luck with the NOCHUMP zip library rather than FZip. However, that's really not relevent because it doesn't work with password-protected zip files either. As far as I know there aren't currently any ActionScript libraries that support password-protected zip files. I don't know for sure, but I'm guessing that the password-protected .zip files might not be part of the ZIP format spec, so perhaps that's why they didn't implement it. But that's just a guess -- it's possible that password protection is part of the spec, in which case it should be doable for someone to build on one of the existing open source libraries and add password protection.


              In any case, using password-protected zip files wouldn't be a true solution to what you're looking for. In order to uncompress the zip files your app would need to have the password to the zip files. If you hard-code the password in your app source code, someone could just decompile your app to get the password. (Granted, that isn't something that a casual or non-technical user would do. So it does provide one more barrier that someone would have to go through to get your assets. But it's far from foolproof.)


              You could add an additional layer of complexity by not hard-coding the password in your app, and instead have the app call a server to get the password. But once again, someone could decompile your app (or monitor their own network traffic) to learn the url, and just load the url directly to get the password.


              You could also come up with your own file format, and you could certainly write ActionScript code to read that file format (in the same way that people write ActionScript libraries for .zip etc.). But you'd still fact the same problem: someone could decompile your app and find out how to read your file format, then they could build their own app to read your file format and extract the files.