Having built/architected/developed/consulted many Adobe Flex applications and being one of the first certified Flex instructors in the world, I’ve seen a lot of Flex applications. Some good, some bad.
But no matter how many applications or who I’m talking to, I always stress the importance of securing proprietary information. By securing, I mean don’t put it in your application. Unless your are encrypting your application and decrypting at runtime, you are subject to a decompiler exposing your secrets.
There are Flash decompilers that will take any SWF and give you the source:
Trillix Flash Decompiler is one of the best commercial tools I’ve found.
I’ve even seen guys decompile, make changes and then recompile a Flex app. This is scary! Say goodbye to licensing software in Flash.
But HP just released a tool that has caught my eye as well. (Note: I have not tested this tool) It claims to decompile and test for security weaknesses. It’s called SWFScan and it’s a free Windows based tool from HP.
If security in a Flex or Flash based application is a concern for you, you must look at these tools. If security is not your concern, look anyway.
2 responses so far ↓
1 Andrew Westberg // Jun 25, 2009 at 7:16 am
I don’t know if I’d go so far as to say goodbye to licensing software in Flash, just that I wouldn’t keep the guts of the licensing system inside the flash player. The article I wrote highlighting how it’s possible to decompile, make changes and recompile was mainly to wake people up to the possibilities that exist out there and to highlight how Nitro-LM’s approach to licensing software is fundamentally different and not as susceptible to this type of attack.
2 Keith Peters // Jun 25, 2009 at 12:01 pm
Decompilers have existed in Flash since the earliest days. “Say goodbye to licensing software in Flash”? When did we say hello?
Leave a Comment