I've written (most of) an application in Flex and I am concerned with protecting the source code. I fired up a demo of Trillix swf decompiler and opened up the swf file that was installed to my Program Files directory. I saw that all of the actionscript packages I wrote were there. I'm not too concerned with the packages, even though there is a substantial amount of code, because it still seems pretty unusable without the mxml files. I think they are converted to actionscript, or atleast I hope. However, I would still like to explore obfuscation.

Does anyone have any experience with Flash / Actionscript 3 / Flex obfuscators? Can you recommend a good product?

+7  A: 

Here's what I would do.

  • Compile your application to a SWF file. Then encrypt the SWF using AES.

  • Make a "wrapper" application that loads the encrypted SWF into a ByteArray using URLLoader

  • Use the as3crypto library to decrypt the swf at runtime.

  • Once decrypted, use Loader.loadBytes to load the decrypted swf into the wrapper application.

This will make it a lot harder to get your code. Not impossible, but harder.

For AIR applications you could leave the SWF encrypted when delivering the application to the end-user. Then you could provide a registration key that contains the key used to decrypt the SWF.

Also, here is a link to an AS3 obfuscator. I am not sure how well it works though.

+9  A: 

The procedure suggested by maclema will not really stop any attacker from obtaining the source - the "wrapper application" will need to be unencrypted so the attacker will be able to find out that you use AES (or any other algorithm) and he will obtain the decryption key in a similar way (because it needs to be in plaintext somewhere). Once he has this, he will be able to decrypt your SWF file easily.

The only reliable solution (well...) is some kind of obfuscator - we use Amayeta which works for Flex in the latest version - please see .

+1  A: 

There is also a good one Actionscript obfuscator called SWF Protector ! I have been using it since the end of 2008. Try it!

Yes, SWF Protector isn't bad at all since it messes up the code quite badly. Take a look at the sample of decompiled ActionScript: