flex-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Joseph Balderson <n...@joeflash.ca>
Subject Re: Air apps easily decompiled and hacked
Date Thu, 20 Feb 2014 00:59:53 GMT
+1 totally agree.

This is really nothing new: decompiling SWFs has been possible since... well as
long as Flash has been around over 15 years. But unless what a hacker is hoping
to get is a mere few lines of code, it's so time-consuming (even assuming it's
possible) to be able to reconstitute a working application from decompiled code
as to be practically worthless, it would really take someone an insane amount of

But if your business security for whatever reason relies upon someone not being
able to decompile a SWF or an AIR file, you might want to look into solutions
such as Nitro-LM:


Joseph Balderson, Flex & Flash Platform Developer :: http://joeflash.ca
Author, Professional Flex 3 :: http://tinyurl.com/proflex3book

Doug McCune wrote:
> As someone who worried about this, and put a lot of time into encryption,
> my advice is to not worry about this. I know we all think our apps are
> super special and have crazy cool implementation details, etc. but the
> reality is that nobody is going to steal your code.
> The decompiler output isn't nearly good enough to easily reconstruct a
> non-trivial app. It's certainly good enough to get a sense of how someone
> is doing things, or to reverse engineer API calls, or to get the key parts
> of core algorithms. But you can't just decompile and recompile to get a
> working app (at least not for any real world app that's more than Hello
> World). But beyond the technical limitations, the bigger thing is that it's
> just simply a time sink to worry about someone stealing your code. As
> someone who has gone there and back (in terms of figuring out how to
> encrypt our swf bytecode and decrypt at runtime), trust me, it's not a
> problem you need to solve. I don't know your business, but I'd wager
> anything that your success will hinge on a billion other factors and that
> source code stealing isn't a real risk. Better to invest your time in
> something that will actually matter.
> On Wed, Feb 19, 2014 at 1:03 PM, <flex@dfguy.us> wrote:
>> I think there used to be a technique for making inner code more secure by
>> loading in controller classes at runtime from the server instead of
>> embedding them in the source. However that iOS loading restriction would
>> probably hamper this. I think that was more for use with Flash player.
>> David
>> -----Original Message-----
>> From: Sean Thayne <sean@skyseek.com>
>> To: users@flex.apache.org
>> Sent: Wed, 19 Feb 2014 2:40 PM
>> Subject: Re: Air apps easily decompiled and hacked
>> It looks like every var declared inside a function is obscured/renamed. But
>> all class vars(regardless of protected, public, private) are not obscured.
>> They keep their original naming. Which would make sense if your compiling a
>> swc, but not if your compiling a final application (I would think). Maybe
>> it was created this way for RSLs?
>> -Sean Thayne
>> On Wed, Feb 19, 2014 at 1:33 PM, Gordon Smith <gosmith@adobe.com> wrote:
>>> Are you sure the others that aren't obscured are locals? I'd bet they're
>>> instance variables.
>>> - Gordon
>>> -----Original Message-----
>>> From: Sean Thayne [mailto:sean@skyseek.com]
>>> Sent: Wednesday, February 19, 2014 12:24 PM
>>> To: users@flex.apache.org
>>> Subject: Re: Air apps easily decompiled and hacked
>>> Ya, you right Alex, I re-checked, and there are not comments. It does
>> keep
>>> trace() calls though.
>>> I also noticed that it does obscure some local vars into _loc_# vars, and
>>> but it doesn't obscure others, which I think is kinda weird.
>>> -Sean Thayne
>>> On Wed, Feb 19, 2014 at 11:47 AM, Alex Harui <aharui@adobe.com> wrote:
>>>> Comments are easily viewable?  I don't think so.  It also depends on
>>>> whether you have the original source files or not.  For Google
>>>> Closure, if you have a source map, you can get back to the source as
>>> well.
>>>> Try dumping out an export release version of one of your SWFs.  Sure
>>>> you can get back from the byte code to the basic algorithm, but I
>>>> don't think it is that much easier than deciphering a minified js or
>>>> even looking at intel byte code in an EXE file.
>>>> -Alex
>>>> ________________________________________
>>>> From: Sean Thayne <sean@skyseek.com>
>>>> Sent: Wednesday, February 19, 2014 8:21 AM
>>>> To: users@flex.apache.org
>>>> Subject: Re: Air apps easily decompiled and hacked
>>>> I'm actually more concerned about the plain readability of the AS3,
>>>> even comments are easily viewable. Where as a JS site that has been
>>>> compile with Google Closures is minimized and heavily obscured. I feel
>>>> like it would be very easy to steal someones hard work.
>>>> -Sean Thayne
>>>> On Wed, Feb 19, 2014 at 9:18 AM, Gary Yang <flashflexpro@gmail.com>
>>> wrote:
>>>>> Client side can not be trusted, server api should always be the
>>>>> security gate!
>>>>> After all there are certain applications that can encrypt Flash
>>>>> applications, Javascript application is just plain text!!!
>>>>> On Wed, Feb 19, 2014 at 11:08 AM, Sean Thayne <sean@skyseek.com>
>>> wrote:
>>>>>> Anybody else concerned about decompilers like SoThink?
>>>>>> http://www.ericzhang.me/cracking-adobe-air-applications/
>>>>>> -Sean Thayne

View raw message