If we create an online SWF application, is there any way to secure it so that someone else doesn't download it and put it on their site? For instance, Webkinz is made with Flash, yet nobody is pirating it on their servers with the whole game unlocked. What is Webkinz doing that we can do?
Thanks!
I'm not sure how different sites handle things, but one way to ensure that somebody doesn't rip off your Flash app is to use the concept of license files. The cheesy way would be:
Use an obfuscated url and name for the license file.
Embed the relative path to the license file in your Flash application.
Prevent directory browsing to the child directories.
Protect the Flash application from de-compilation.
It's ghetto...but it's at least a base to work off of and should give you an idea of ONE way of doing it.
That mostly depends on your web server software. If PHP, you can use readfile(). See the example here. Store the .swf itself above the webroot, then use some authentication before calling readfile. In this setup, you'd call the php file with your readfile() call in place of the .swf.
So it might look, in an extremely simplified way, something like this: fakeswf.php:
if (authenticate()) {
header("Content-Type: application/flash");
readfile("../realswf.swf");
}
else {
header("Content-Type: text/html");
echo "Nothing to see here.";
}
index.html:
<a href="fakeswf.php">Click here to play my game</a>
As far as the browser is concerned (if you properly set the headers as per the example), fakeswf.php is a .swf file.
IMPORTANT NOTE: I didn't actually look up the proper content type for a .swf file. Be sure to look it up and change it accordingly.
You can make it difficult to steal your swf files if you do like Webkinz does, in that they have one main movie that is embedded in the page (so user's know the url of that movie). All subsequent movies are loaded in that original movie programatically. Of course someone with a flash decompiler could decompile your movie and see the paths, but then again you could even go through the trouble of making the names of those MovieClips obscure.
1- Obfuscate your ActionScript using an advanced obfuscator such as secureSWF.
2- Domain lock your SWF files.
3- Create a dummy loader, rename the original SWF files and change their extension, then load the original SWF files using the dummy loader.
4- Make sure to prevent hot linking. (this will depend on your web server)
5- Encrypt sensitive strings in your ActionScript; either manually in your code, or you can also use secureSWF for that.
Keep in mind that all the answers in here are variations on ways to make it more difficult or annoying for someone to re-host your flash. There is no way to prevent someone from doing it, unless your ability to obfuscate your defenses exceeds the attacker's ability to de-obfuscate them.
As for what I'd do, I'd sprinkle my code with bits like this:
// in a display object
if ( loaderInfo.url != "http://example.com/my/real/content.swf" ) {
// blow up
}
That should stop anyone who doesn't have access to a decompiler. If that's not good enough, the only answer is to invest in an obfuscator, because nothing else you do is going to make any difference unless your code is obfuscated.
If you want to prevent your flash files being stolen then obfuscation is only going to slow this process down or even worse make your flash files no longer work. Take a look at http://www.locklizard.com/flash_security.htm if you are looking for something secure and reliable.
We have extensively tested all of the swf tool in the market and not one except secureswf does the job. However, it's not without it problem either where my swf is found broken after applying many combination setting. Frustrated, I decided to use a better idea with PHP which is similar to how "Copy Protected Audio CD" work.
A demo showing how PHP can be use to secure your SWF. http://wildfiremedia.com.sg/demo.php