8 Replies Latest reply on Jun 11, 2008 10:20 AM by glen08

    Residual swf file on client computer?

    glen08 Level 1
      Once you closed the browser that ran an Flex, is the swf file containing the client application left on the hard disk or the RAM of the client computer?
        • 1. Re: Residual swf file on client computer?
          ntsiii Level 3
          On the disk, yes, cached in the Temporary Internet files folder.

          In ram, no.

          Tracy
          • 2. Residual swf file on client computer?
            glen08 Level 1
            Is it possible to reverse engineering swf file to get the original ActionScript
            back, like de-compile java class file back to java source code?
            • 3. Re: Residual swf file on client computer?
              slaingod Level 1
              You can decompile many if not all SWF's into actionscript. I am not aware of any way to decompile back into 'mxml' at this point. google decompile swf
              • 4. Re: Residual swf file on client computer?
                glen08 Level 1
                quote:

                Originally posted by: slaingod
                You can decompile many if not all SWF's into actionscript. I am not aware of any way to decompile back into 'mxml' at this point. google decompile swf


                It is a security issue.
                Is there a way to delete the swf once the application is closed or just keep the swf file in RAM?
                • 5. Residual swf file on client computer?
                  slaingod Level 1
                  It isn't a security issue unless you are trying to prevent a 3rd party other than the user/client from accessing the data. If you do not want a client/user to have access to hack the code, then it cannot be allowed to ever run on hardware a client/user controls. This is Security 101. Same reason you can get cracks for every game ever made, every major program ever released, etc. If the client can run it in a debugger, they can do anything given enough time/sophistication.

                  Put another way: Security by obscurity/obfuscation, is not security at all.

                  If you want something to be secure (from the client), then it can only ever run on your own hardware (ie web servers). It is possible to have secure communications between client and browser though, in the sense that a third party wouldn't be able to interfere/read the commuications between the client and the server.

                  All you would be doing by trying to keep the swf in RAM, or delete it is try and put a bandaid on a corpse. (Sorry, it's late and my analogy sucks.) Anyone sophisticated enough to decompile and understand a SWF file will not have any problems reading RAM or whatever other measures you can think of.

                  If there was a foolproof way to do this, every commercial close-sourced software company in the world would be using it.
                  • 6. Re: Residual swf file on client computer?
                    glen08 Level 1
                    I only want the authenticated users to see the programs and data, not others. Now swf files are cached on the HD, anyone who can get hold of the HD can get the swf files (if they are still in the temp dir) and de-compile the swf files. Hacking RAM is much harder. If all the swf files are just kept in the RAM when the Flex application is running, their memory spaces would become available for other things when the browser is closed or the application exits.

                    Since the Flex applications can be accessed from any browsers (in an airport terminal or a computer of a school), the residual swf files on those computers cause secure problems. I'm not talking about man-in-middle-attack, which is normally solved by using SSL.
                    • 7. Residual swf file on client computer?
                      Mitek17 Level 1
                      Piece of cake!
                      User loads the wrapper SWF file which contains nothing - and if user is authenticated, this wrapper downloads other SWFs, using SWFLoader.
                      Browser cache contains only SWF which were loaded while browsing, everything which is loaded via SWFLoader is unnoticed to it.

                      That's how I've done it.
                      Here is the discussion how to do this
                      (excuse my Russian :)

                      There is only one downside of this - you can't use RSLs if you want to leave user machine 100% clean. RSLs are loaded and placed in disk cache. And if you don't use RSLs the size of SWFs will be significant and loading time will be quite high.

                      Cheers,
                      Dmitri.
                      • 8. Re: Residual swf file on client computer?
                        glen08 Level 1
                        quote:

                        Originally posted by: Mitek17

                        That's how I've done it.
                        Here is the discussion how to do this
                        (excuse my Russian :)




                        Can you copy & paste the code here and translate Russian to English?