flex-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From f...@dfguy.us
Subject Re: Air apps easily decompiled and hacked
Date Wed, 19 Feb 2014 21:03:09 GMT
I think there used to be a technique for making inner code more secure by loading in controller
classes at runtime from the server instead of embedding them in the source. However that iOS
loading restriction would probably hamper this. I think that was more for use with Flash player.

David



-----Original Message-----
From: Sean Thayne <sean@skyseek.com>
To: users@flex.apache.org
Sent: Wed, 19 Feb 2014 2:40 PM
Subject: Re: Air apps easily decompiled and hacked

It looks like every var declared inside a function is obscured/renamed. But
all class vars(regardless of protected, public, private) are not obscured.
They keep their original naming. Which would make sense if your compiling a
swc, but not if your compiling a final application (I would think). Maybe
it was created this way for RSLs?

-Sean Thayne


On Wed, Feb 19, 2014 at 1:33 PM, Gordon Smith <gosmith@adobe.com> wrote:

> Are you sure the others that aren't obscured are locals? I'd bet they're
> instance variables.
>
> - Gordon
>
> -----Original Message-----
> From: Sean Thayne [mailto:sean@skyseek.com]
> Sent: Wednesday, February 19, 2014 12:24 PM
> To: users@flex.apache.org
> Subject: Re: Air apps easily decompiled and hacked
>
> Ya, you right Alex, I re-checked, and there are not comments. It does keep
> trace() calls though.
>
> I also noticed that it does obscure some local vars into _loc_# vars, and
> but it doesn't obscure others, which I think is kinda weird.
>
> -Sean Thayne
>
>
> On Wed, Feb 19, 2014 at 11:47 AM, Alex Harui <aharui@adobe.com> wrote:
>
> > Comments are easily viewable?  I don't think so.  It also depends on
> > whether you have the original source files or not.  For Google
> > Closure, if you have a source map, you can get back to the source as
> well.
> >
> > Try dumping out an export release version of one of your SWFs.  Sure
> > you can get back from the byte code to the basic algorithm, but I
> > don't think it is that much easier than deciphering a minified js or
> > even looking at intel byte code in an EXE file.
> >
> > -Alex
> > ________________________________________
> > From: Sean Thayne <sean@skyseek.com>
> > Sent: Wednesday, February 19, 2014 8:21 AM
> > To: users@flex.apache.org
> > Subject: Re: Air apps easily decompiled and hacked
> >
> > I'm actually more concerned about the plain readability of the AS3,
> > even comments are easily viewable. Where as a JS site that has been
> > compile with Google Closures is minimized and heavily obscured. I feel
> > like it would be very easy to steal someones hard work.
> >
> > -Sean Thayne
> >
> >
> > On Wed, Feb 19, 2014 at 9:18 AM, Gary Yang <flashflexpro@gmail.com>
> wrote:
> >
> > > Client side can not be trusted, server api should always be the
> > > security gate!
> > >
> > > After all there are certain applications that can encrypt Flash
> > > applications, Javascript application is just plain text!!!
> > >
> > >
> > > On Wed, Feb 19, 2014 at 11:08 AM, Sean Thayne <sean@skyseek.com>
> wrote:
> > >
> > > > Anybody else concerned about decompilers like SoThink?
> > > >
> > > > http://www.ericzhang.me/cracking-adobe-air-applications/
> > > >
> > > > -Sean Thayne
> > > >
> > >
> >
>
Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message