tags:

views:

2597

answers:

3
+5  Q: 

Flex / Air obfuscation

I've written (most of) an application in Flex and I am concerned with protecting the source code. I fired up a demo of Trillix swf decompiler and opened up the swf file that was installed to my Program Files directory. I saw that all of the actionscript packages I wrote were there. I'm not too concerned with the packages, even though there is a substantial amount of code, because it still seems pretty unusable without the mxml files. I think they are converted to actionscript, or atleast I hope. However, I would still like to explore obfuscation.

Does anyone have any experience with Flash / Actionscript 3 / Flex obfuscators? Can you recommend a good product?

+7  A: 

Here's what I would do.

  • Compile your application to a SWF file. Then encrypt the SWF using AES.

  • Make a "wrapper" application that loads the encrypted SWF into a ByteArray using URLLoader

  • Use the as3crypto library to decrypt the swf at runtime.

  • Once decrypted, use Loader.loadBytes to load the decrypted swf into the wrapper application.

This will make it a lot harder to get your code. Not impossible, but harder.

For AIR applications you could leave the SWF encrypted when delivering the application to the end-user. Then you could provide a registration key that contains the key used to decrypt the SWF.

Also, here is a link to an AS3 obfuscator. I am not sure how well it works though. http://www.ambiera.com/irrfuscator/index.html

maclema  2008-08-07 16:28:34
+9  A: 

The procedure suggested by maclema will not really stop any attacker from obtaining the source - the "wrapper application" will need to be unencrypted so the attacker will be able to find out that you use AES (or any other algorithm) and he will obtain the decryption key in a similar way (because it needs to be in plaintext somewhere). Once he has this, he will be able to decrypt your SWF file easily.

The only reliable solution (well...) is some kind of obfuscator - we use Amayeta which works for Flex in the latest version - please see http://www.amayeta.com/software/swfencrypt/ .

Borek  2008-09-25 11:03:36
+1  A: 

There is also a good one Actionscript obfuscator called SWF Protector ! I have been using it since the end of 2008. Try it!

Alex  2010-05-17 10:54:36
Yes, SWF Protector isn't bad at all since it messes up the code quite badly. Take a look at the sample of decompiled ActionScript: http://tekkie.flashbit.net/flash/as/protect-your-actionscript-code-with-swf-protector
Ain  2010-08-01 21:03:53

related questions

Silverlight vs Flex
Executing JavaScript from Flex: Is this javascript function dangerous?
How To Get Label Of Combobox to Fade In Flex
How do I change the title bar icon in Adobe AIR?
How do I call a Flex SWF from a remote domain using Flash (AS3) ?
Flex: does painless programmatic data binding exist?
SoapException: Root element is missing occurs when .NET web service called from Flex
Any recommendations for in-depth Flex training?
How do I restyle an Adobe Flex Accordion to include a button in each canvas header?
Deleting / Replacing A Node in E4X (AS3 - Flex)
How can I "unaccept" a drag in Flex?
Printing Flex components in FireFox 3
Is it possible to add behavior to a non-dynamic ActionScript 3 class without inheriting the class?
How do I get rid of the "multiple describeType entries" warning?
Open local file with AIR / Flex
Adobe Flex component events
Can you access the windows registry from Adobe Air?
Actionscript 3 - Fastest way to parse yyyy-mm-dd hh:mm:ss to a Date object?
Adobe Air - Using multiple SQLite databases at once
How can I unit test Flex applications from within the IDE or a build script?
Best way to learn Flash?
Get the current logged in OS user in Adobe Air
Adobe air - SQLStatement.execute() - Multiple queries in one statement
Unloading a ByteArray in Actionscript 3.