Friday, March 4, 2011

Flash programmers: how do you make your code decompile proof?

I've worked on several flash projects so far. I know my way around AS3 but I also started becoming curious about how other flash programs are written, so I decompiled a few swf files to see how they were made. (I have also read through open source projects, but I don't say that because I feel guilty about decompiling swf files or anything. ) And I learned a lot by looking into these projects. But there were some projects where I couldn't make any sense of the code at all. It looked like they couldn't have been written by human beings!

Maybe they were obfuscated, right? And that got me thinking: there are more and more sites that offer a Flash/Flex application as their primary service. I'm thinking of Scribd, Sproutbuilder, but you could think of others. These sites have a great interest to protect the code in their Flash platforms.

So that brings me to my question: what kind of tools or techniques do you, flash programmers, use to make your code decompile-proof?

EDIT: after posting this, I came across this interesting post by Charles Miller about the futility of obfuscation. He makes a fair point. Software is an investment of time, and eventually someone will put enough time to reverse engineer even the most daunting project of software engineering. (Hint, hint: Mac OS, Windows, iPhone, you name it.) But that doesn't mean obfuscation doesn't provide a material benefit (for a short period of time) and competitive advantage to companies that were first in the market. Am I right or wrong?

From stackoverflow
  • There are several commercial and free action script obfuscators, a google search turns up several. I can't vouch for any particular one, but I'm sure that they can all still be reverse-engineered to some extent.

    IMO, if the obfuscator makes your code unreadable by renaming the variables, functions and classes to meaningless/random characters, that is often is a whole heck of a lot of discouragement who wants to read your code or piece together anything more than a trivial program.

  • SWFEncrypt is one that many guys on my team have used with some success. Apparently the support for AS3 was iffy until just recently but is confirmed to work in 5.0.4+

    http://www.amayeta.com/software/swfencrypt/

  • As far as I know, obfuscation tools like swfencrypt worked better with ActionScript 2 because it had the eval() function, which was a good way of hiding code. However, I would still recommend using something like this, and more importantly that you put as much logic as possible on the server, where it is secure.

    cliff.meyers : Yep, the rule of the game is "never trust the client."

0 comments:

Post a Comment