1

I'm developing a Flex application for a customer and I don't want others know my code using decompilers, I found a SWF protector(dcomsoft) that convert all codes to a byte arrays and the code becomes more complex for beginners programmers and I don't think it's enough for professionals.

Is it enough to do some obfuscating then protect the SWF?

Artjom B.
  • 61,146
  • 24
  • 125
  • 222
parse
  • 1,706
  • 17
  • 27
  • No precaution is enough against a skilled hacker, the SWF should be able to be natively disassembled inside Flash player to actually be played, so a hacker can plainly emulate Flash player to get your SWF's codes. Still, some kind of an SWF protection will likely throw the majority of "hackers" off the board, and make others waste more resources to get through this obfuscation, which might not be as satisfactory, so they could also stop trying, saying "too big effort for too small reward". – Vesper May 13 '14 at 11:40
  • "..they could also stop trying." that's what I want to do by making the code more complex. – parse May 13 '14 at 11:58
  • An unprotected SWF can be hacked by 90% users, protected - 40%, very well protected - by 5%. The numbers are fake, but the idea still stands, even if the majority of "hackers" will give up, you SWF cannot count as 100% secure ;) – Creative Magic May 13 '14 at 12:23

1 Answers1

2

Short answer - no.

Any compiled code can be de-compiled, obfuscated code can be reversed to normal (many decompilers do that automatically or have that option).

As long as it's on client side, the code is not secure. You can use the fancy tool, maybe it will take extra 30 minutes to decompile it, but the people who are interested to know how it works will be able to do so.

Creative Magic
  • 3,143
  • 3
  • 28
  • 47
  • You mentioning that my SWF on the client side, there some tricks to make the SWF get some methods from server side? my SWF app use the network. – parse May 13 '14 at 12:00
  • @user3632172 Anyway those methods will be executed client side. You can have serverside logic, but it won't be a SWF. – Vesper May 13 '14 at 12:03
  • Not only SWF, any code, be it C/C++, Java or any other client-side app; client side is not secure. SWF is just super easy to decompile. Sure, you can include some logic in a separate SWF and load that on run-time, it will be harder to hack, because you'll have to do motr than just pressing a button, but still, pretty easy. I had similar situation like you. Just forget about securing the SWF, don't waste time, make sure that the sensitive data is on the server and that should be enough. PS: most "hackers" hunt for graphics and animations, not code ;) – Creative Magic May 13 '14 at 12:20
  • Does your apps is sensitive by itself ? If you want to protect your code only to prevent "code steal", don't bother going further than a small bit of obfuscation. Most hackers won't care a bit about your code, and the amount of work you will expend won't really matter. If you must protect sensitive data or process that must happen client-side, then code protection may by something to look into, in order to deter people looking for that; but as @CreativeMagic said, it would be better to have all sensitive data on the server. – Aralicia May 13 '14 at 13:07
  • Vesper yes you are right methods will be executed in client side. Creative Magic I hope that they will steal only my graphics I use only Flex design it's like html :D. @Aralicia "...it would be better to have all sensitive data on the server." good idea but for example if I want to make server ip invisible in my code and I want to get the IP from server side(via http request) and return it to the client side then connect to the server and this http request will be accepted only from my client, no direct access? – parse May 13 '14 at 19:13
  • The first part of the answer was good. Then the only truth is that SWF is OPEN format. What this means is that the final code produced and run by the virtual machine (Flash Player) IS READABLE. So the short answer is truly __no__ - you can make it more difficult, but never impossible. Best is to take the business logic to server. And if you find the need to - you can buy some obfuscators to make it more difficult to hack. It's not the place to talk about `client`, because yes, most of the current games that you and install on your pc CANNOT be decompiled, but this is another topic.. – Andrey Popov May 13 '14 at 19:16
  • @AndreyPopov I don't understand what are you meaning by "Best is to take the business logic to server" ? – parse May 13 '14 at 21:51
  • @Wowali taking business logic to the server means either put the data (model) on the server, and only send necessary bits to Flash, either do all the calculations/processing on the server and let Flash only display the result. I think the question is answered, is there something that doesn't satisfy you? – Creative Magic May 14 '14 at 02:28
  • @Wowali - this means to make all calculations that has to do with scores/bills/payments/achievements/results or anything that you write into your database - __serverside__. For example if you play a game, you don't POST to server `2116` scores, as someone can modify the request and make it `9116`. You post the action like `I've moved that tile`, server calculates what's going on, and returns the updated score. This is a basic model that can be implemented almost everywhere (sometimes harder, sometimes not). – Andrey Popov May 14 '14 at 07:09
  • perfect answers from CreativeMagic and Andrey Popov. many thanks (f) – parse May 14 '14 at 13:24
  • @Wowali in that case feel free to mark the answer as correct so that other people with the same question could find the answer easier. – Creative Magic May 14 '14 at 17:48