You were concerned about decompilers being used to reverse-engineer the
code and therefore compromise security. I think it's known that there are
Flash decompilers for AS1/2. I haven't heard about an AS3 decompiler yet.
If you compare Flex and Flash (CS3/AS3) vulnerability to decompilation,
since both are working with thye same language I would think there's
little between them as regards susceptibility to decompilation.
There's at least one AS 3.0 decompiler (that I'm aware of), abcdump:
http://www.5etdemi.com/blog/archives/2007/01/as3-decompiler/
It doensn't decompile to ActionScript but to some intermediate,
assembly-like language. Never the less, hardcoded strings are readable, so
putting your DD.BB login data in your swf is probably not the best idea...
Besides, it's just a matter of time for popular decompilers like Sothink and
ASV to support AS 3.0 (last time I checked, AS 3.0 versions were being
developed).
Almost in every case, I use xml generated by a php,asp or jsp back-end to
communicate with the DD.BB, mainly because my development environment is
usually Flash. WebServices are another alternative for both Flash and Flex,
and I know there are other ways just for Flex (Flex Data Services, I think
it was called one of those and HTTPService or something like that was
another). I haven't used Flex a lot myself, though, just remember that from
a "crash course" I took some months ago. I do remember it was easier (or at
least, it took less coding) than parsing the bare xml's from Flash.
In terms of a CMS application though, I think Flex wins hands down. It's
features for developing user interfaces are way ahead of Flash,
particularly with the ability to read and manipulate XML data and generate
and layout data-driven interfaces. I know Flash now has E4x in AS3, but
Flex goes beyond that.
I agree. If "flashy" animations are not a requirement (which seems to be ok
for a CMS), Flex will make things much easier on you.
Cheers
Juan Pablo Califano
----- Original Message -----
From: "Paul Andrews" <[EMAIL PROTECTED]>
To: "Flash Coders List" <[email protected]>
Sent: Saturday, January 26, 2008 8:21 PM
Subject: Re: [Flashcoders] Flash and Database Issue - Need Advice
----- Original Message -----
From: "Omar Fouad" <[EMAIL PROTECTED]>
To: "Flash Coders List" <[email protected]>
Sent: Saturday, January 26, 2008 9:39 PM
Subject: Re: [Flashcoders] Flash and Database Issue - Need Advice
What do you mean by "Whatever you fear about security using Flex is
equally
applicable to Flash." ?
You were concerned about decompilers being used to reverse-engineer the
code and therefore compromise security. I think it's known that there are
Flash decompilers for AS1/2. I haven't heard about an AS3 decompiler yet.
If you compare Flex and Flash (CS3/AS3) vulnerability to decompilation,
since both are working with thye same language I would think there's
little between them as regards susceptibility to decompilation.
IF you consider other security risks, for example interception of data
en-route to a database, there are essentially three mechanisms by which
that can be done
1) The client passes data between the client machine and a server
(typically via a http request of one form or another). There's no
difference between the vulnerability of Flash or Flex in this respect
since both would use the same kind of mechanisms. Besides plain HTTP you
have socket server and proprietary formats such as AMF, but both Flash and
Flex have access to these mechanisms equally.
2) The client (Flex or Flash) can use HTTPS to encrypt the data, so
there's little difference between Flex and Flash here.
3) Unusually a Flash or Flex client could use an SQL library to directly
make calls to a remote database. In this case the security is dependent on
the safety of the database protocols used and the ability to reverse
engineer the application. The database is publicly exposed to allow the
clients access.
4) I understand that SQL server does allow direct XML socket access,
thereby enabling Flash or Flex to directly access the database. This is
rather similar to 3.
So essentially there's little to choose security-wise between Flex and
Flash CS3/AS3. The most secure model involves a good server-side component
that controls access to the database and enforces security.
In terms of a CMS application though, I think Flex wins hands down. It's
features for developing user interfaces are way ahead of Flash,
particularly with the ability to read and manipulate XML data and generate
and layout data-driven interfaces. I know Flash now has E4x in AS3, but
Flex goes beyond that.
Paul
_______________________________________________
Flashcoders mailing list
[email protected]
http://chattyfig.figleaf.com/mailman/listinfo/flashcoders
_______________________________________________
Flashcoders mailing list
[email protected]
http://chattyfig.figleaf.com/mailman/listinfo/flashcoders
