19 Replies Latest reply on Jan 16, 2010 8:20 AM by dougmccune1

    Is Flex really this insecure?

    JonoB Level 1

      OK, you create a nice flex project, export a release build and put it on the internet.You run it over SSL, you keep all critical information out of the swf, and store it in the database.

       

      Someone browses to your site, grabs the .swf, runs it through a decompiler (lots available, just do a google search), and they have _every_ single bit of code that you wrote in your flex project. All your functions, all your client side validations....everything!

       

      Hooked it up to a backend with database support? Yup, they can see all the names of every service call too, along with the names of every parameter. Ouch.

       

      If this is the case, how can Flex ever be even considered as an 'Enterprise' solution.

       

      Please tell me I am missing something....

        • 1. Re: Is Flex really this insecure?
          msakrejda Level 4

          Same thing with JavaScript (minus that pesky decompilation step). This has always been the case with client-side technologies (whether browser-based or desktop deployments). It's a fundamental limitation of this sort of architecture. One typically takes this into account when designing the application and keeps all the important stuff (e.g., database credentials) strictly server-side.

          • 2. Re: Is Flex really this insecure?
            pauland Level 4

            JonoB wrote:


             

            Please tell me I am missing something....

             

            Yes, telling us an alternative technology where everything you have said is not also true.

            • 3. Re: Is Flex really this insecure?
              SpaghettiCoder Level 3

              Not sure why they don't have Built in Code Obsfuscation for FLEX pro edition...

               

              Anyhow,

               

              You don't even need to decompile with javascript.

               

              The only functions they get are client side views.

               

              You lost me on the they get all the service call, and all the parameters...what can they do with that?

               

              CLIENT : SERVICE call : getSomething()

               

              SERVER : returns data : SELECT FROM column1, column2 WHERE column3 = variable;

               

              The SQL statement isn't freshly baked and sent from client to server, the SQL statements are already pre-made, the only thing the client is doing is making a function call which executes a SQL statement which you have already pre-approved.  So it's returning data that you're controlling.  The php that has the function call, is in a secured directory on server with only read and execute access.

              • 4. Re: Is Flex really this insecure?
                Ansury Level 3

                msakrejda wrote:

                 

                Same thing with JavaScript (minus that pesky decompilation step).

                 

                And same thing with those old Client/Server applications.  That's a price you pay if you want something better than what amounts to essentially a dumb terminal web "application" (so called).  (Not to mention the outrageous kludge of crappy hack technologies you have to slop together to get an "old school" web "application" to function.)

                • 5. Re: Is Flex really this insecure?
                  Johnking08 Level 1

                  Using the same argument, you can also say HTML/JavaScript is insecure. You can find all the request URLs and the parameters.

                  You can see JS code easily.

                   

                  If you are worry about people stealing your business logic, you could let server programs (Java, Webservices, php, ...) do it. Your Flex

                  only handles the presentation logic.

                   

                  We all know Internet is not 100% safe. The safest way to handle the data is to lock them in a safe and let no body to touch them.

                  • 6. Re: Is Flex really this insecure?
                    JonoB Level 1

                    Of course all my critical information is processed on the server in a secure manner.

                     

                    I dont like that I have to pay $200 or $400 to another third party to give my code that extra bit of security. And, of course, to protect my intellectual property.

                    • 7. Re: Is Flex really this insecure?
                      pauland Level 4

                      JonoB wrote:

                       

                      Of course all my critical information is processed on the server in a secure manner.

                       

                      I dont like that I have to pay $200 or $400 to another third party to give my code that extra bit of security. And, of course, to protect my intellectual property.

                       

                      Well, nothing you have said is particularly Flex specific, so would you now agree that Flex is as good an 'Enterprise' solution as any of the alternatives?

                      • 8. Re: Is Flex really this insecure?
                        SpaghettiCoder Level 3

                        I think he might be hinting at SilverLight.

                         

                        Consumer standpoint on Silver Light is low adoption.

                         

                        Business standpoint, IT depts of most companies will not allow stuff to be installed onto the computers by end-user, so unless it's a top down directive, the adoption of Silver Light is not going to happen.  so once again, we are back at the low adoption.

                         

                        So why develop with/for something that has low adoption...

                         

                        low adoption outweighs the fact the end user can decrypt the code to look at how the client side is built, I would think.

                        • 9. Re: Is Flex really this insecure?
                          msakrejda Level 4

                          How is the situation different with Silverlight? As far as I can tell,

                          no free obfuscator exists (or at least, people seem to recommend

                          commercial ones). And obfuscation is only obfuscation, after

                          all--whether with Silverlight, JavaScript, or Flex, it will not stop

                          someone determined to reverse-engineer your code.

                          • 10. Re: Is Flex really this insecure?
                            IlyaG Level 1

                            This is true!

                             

                            This is a link for a software that will easily decompile your project.

                            http://www.sothink.com/product/flashdecompiler/

                             

                            And this is a torrent with a keygen that will show you all your scripts. It shows you your function and parameter names in exact same format you compiled it.

                            http://www.torrentz.com/3bf39f79b865b5b45e67b85e1d5c03b08d3f4ff1

                             

                            I am shocked, I am 5 days from releasing my project, now I think I will have to do it all over again in Java or some thing like that...

                            • 11. Re: Is Flex really this insecure?
                              msakrejda Level 4

                              > I am shocked, I am 5 days from releasing my project, now I think I will have to do it all over again in Java or some thing like that...

                               

                              Good luck: http://java.decompiler.free.fr/

                              • 12. Re: Is Flex really this insecure?
                                IlyaG Level 1

                                How can I secure my project then?

                                • 13. Re: Is Flex really this insecure?
                                  pauland Level 4

                                  godilya wrote:

                                   

                                  This is true!

                                   

                                  This is a link for a software that will easily decompile your project.

                                  http://www.sothink.com/product/flashdecompiler/

                                   

                                  And this is a torrent with a keygen that will show you all your scripts. It shows you your function and parameter names in exact same format you compiled it.

                                  http://www.torrentz.com/3bf39f79b865b5b45e67b85e1d5c03b08d3f4ff1

                                   

                                  I am shocked, I am 5 days from releasing my project, now I think I will have to do it all over again in Java or some thing like that...

                                   

                                  You think Java (or anything else) is any better than Flash in this respect? Dream on.

                                  • 14. Re: Is Flex really this insecure?
                                    msakrejda Level 4

                                    There is no foolproof way to do that if you're actually handing code

                                    to the user to run on the user's machine (which is what happens when a

                                    user loads your .swf when visiting a page, and also, obviously, when

                                    you deploy an AIR app to the user). The only sure way to prevent

                                    decompilation is to offer an interface through web services, run the

                                    code on your server, and only show static results to the user, back

                                    like in Web 1.0 days.

                                     

                                    Languages that are natively compiled (like C, C++, etc.) are generally

                                    harder to decompile than languages compiled to intermediate bytecode,

                                    and obfuscators can help to some degree, but there are trade-offs

                                    here.

                                     

                                    Ultimately, you need to weigh the effort involved in obfuscation

                                    versus its effectiveness and the likelihood that someone will actually

                                    decompile your code and use it to infringe on your IP. Many developers

                                    and companies decide that the risks are small and obfuscation is not

                                    that effective, so they don't worry about it and instead use their

                                    resources to continue improving their products.

                                    • 15. Re: Is Flex really this insecure?
                                      Gregory Lafrance Level 6

                                      Let's not forget the basic business case here. If no one else's code is anymore secure than Flex, and it seems just about anything can be decompiled and / or reverse engineered, then why have not many other companies' products been copied, and the original companies put out of business?

                                       

                                      If someone copies your code and hopes to make a business of it, that's a major investment of their time and perhaps money, as additiional work will surely be involved. But presumably you have fully thought out the product, its place in the market, how you will release and grow the product in future releases, etc.

                                       

                                      YouTube, SalesForce, FaceBook, etc. have competitors, but I don't see their businesses failing due to reverse engineering.

                                       

                                      If you stay one step ahead of these criminals, they won't be able to keep up.

                                       

                                      Good job on creating a releasable Flex app, go for it, and beat those who would try to steal your thunder!

                                      • 16. Re: Is Flex really this insecure?
                                        JeffryHouser Level 4

                                        I've been reading through this, and I am unclear how the existence of decompilers relates to security.

                                         

                                        What do you consider your intellectual property?  What are you trying to secure?

                                         

                                        Somewhere in this thread iwas mentioned that use of a swf decompiler gives the user the exact same code that you wrote.  In my [lmited] experience this is not true.  Especially if you use a lot MXML.

                                        • 17. Re: Is Flex really this insecure?
                                          dougmccune1

                                          The Sothink decompiler now reconstructs MXML, it's not perfect, but it's

                                          decent. But the general sentiment is right, that decompilers don't give you

                                          great code. It's a hell of a long way from compilable, and fixing it up

                                          would often take longer than writing it from scratch. Nobody's going to

                                          decompile your app and steal the whole thing.

                                           

                                          Truth be told, your app isn't important enough for anybody to spend the time

                                          to decompile it and recreate it. There, I said it. Spend your time making a

                                          good product, not worrying about non-existent threats to your yet-to-be

                                          booming business.

                                           

                                          The one thing to be careful of, however, is to be sure to not store any

                                          security-related stuff in your SWF. This includes debug passwords, or

                                          special developer backdoors, or anything like that. Because that's the one

                                          thing that is really easy to find if you dig around a lot in people's

                                          decompiled source (which is sort of a fun hobby of mine).

                                          • 18. Re: Is Flex really this insecure?
                                            IlyaG Level 1

                                            I am not speaking about having all my source exposed, nobody care about how I made my background raining... But what people do care is if I found some new solution for some old question in programing. My project is about movement detection and it contains more then 2k lines of code in the decompiled version, but the most important algorithm there is just 15 lines and it's not to hard to find it.

                                             

                                            I am not sure about you, but this is really got me scared, I am not going to wait for adobe to fix it, I am taking the security to my hands.

                                            The first and the most obviously step is to change all the parameters and the function names before the compilation, and it's not so hard to do.

                                             

                                            In the next coming month I will post some open source about this idea, If you like to help me you can contact me over this mail:

                                            gazman1986@gmail.com

                                             

                                            Nobody is going to mess with my thunder!

                                            • 19. Re: Is Flex really this insecure?
                                              dougmccune1 Level 1

                                              Check out this blog post:

                                              http://www.gridlinked.info/how-to-encrypt-flex-rsls/

                                               

                                              It talks about using the NitroLM product and using it for encrypting an RSL

                                              library that gets loaded at runtime. I worked on a similar solution that was

                                              custom (and that we have implemented in production), that used the same

                                              general principle of loading an encrypted RSL and decrypting it at runtime.

                                              But my previous comment about not worrying about anyone decompiling your

                                              source code comes from the fact that I've done the whole encryption thing,

                                              and largely I think it was a waste of time. It was really fun to do from a

                                              technical standpoint, but if I'm honest with myself, nobody was going to be

                                              decompiling our stuff, and even if they did, that wasn't going to make or

                                              break our business. A successful product isn't about 15 lines of code (we

                                              had a similar algorithm we were trying to protect).