So, let's say they find you highscore property and they just happen to also find the method that sends the data to the server. With Xray, they could update the highscore, then submit it by calling the method through Xray. So, data integrity to the server becomes the issue.
The concern, i had thought, was over someone snooping around methods/properties/proprietar implementations at runtime with Xray. Other than submitting bogus data, there's not really an issue that I can think of that would do any harm. Like Bob said: Server should never trust the client. I would think that people would still use something like ASV to decompile an SWF if they wanted to see how the app works. They'd use Xray to affect something server side at runtime. So, yeah, I haven't felt a need to pull the Xray connector from any of the sites I've done, but then again, none of them talk to any data source. I could care less if someone wants to know how I did something and if they do it at runtime with Xray, have at it. In fact, if they come away from the experience still able to say their own name and eat normally, hehe, they've earned it ;)
And when it's all said and done, I think Bob's Rule makes sense (if that's the one where you simply rename the connector swf or remove it all together. But I still say that passing a URL at runtime (not published with SWF) that would be the URL of the connector SWF would be even more secure. If you just rename a file to do debugging, you run the chance that someone at the same time could be trying to see if Xray is alive on the site. Might be unlikely, but its still possible.
Bottom line, I think you guys might agree, is that if you're sending/recieving data with a server, pull Xray when you go live, or put into affect Bob's Rule ;)
One other thought: What about adding the ability to specify the domain that Xray should not work on? or a list of domains it should/should not work on? I mean, here's a scenario:
You have 3 locals for your site: local (localhost), staging server (clientName.mydomain.com), production server (www.clientDomain.com )
You put Xray on stage, and you define an array of domains it SHOULD work on: localhost, clientName.mydomain.com
When you finaly push it to production, Xray doesn't work, but in staging and local, it does.
Thoughts?
On 1/7/06, Rob Bateman <[EMAIL PROTECTED]> wrote:
Is this a concern over protecting actionscript code or a concern over protecting sensitive information (like passwords) If it's the former then I agree with Bob, you are powerless to stop people getting their hands on your code *eventually*, and the whole excercise is meaningless. If it's the latter, then this is just sticking to the principle of 'no sensitive information in the swf' allowing access to an X ray debugger could be considered a security risk, so the whole thing makes sense.John, is there any example you can think of of someone could use X ray for 'evil' ends? By which i mean ends that affect the website database or whatever else a swf could access? If we're following bob's rule (which i think this should be christened as, btw) then in theory there shouldn't be any risk at all... what your then left with is a security risk that involves hacks snooping round your classes going 'ooo, he's used a multidimensional array to iterate the properties etc...' which i think i for one could live with. Maybe i'm missing something.Rob
On 1/7/06, John Grden < [EMAIL PROTECTED]> wrote:"Actually, you can only guarantee security if you don't publish the SWF"_______________________________________________
I think some are missing what I've been saying becuase, this is EXACTLY what I've been saying: no URL / Password/ Username /IP would be published with any SWF at all.
You have a dumb connector and you have an interface. They talk via localConnection.
If you tell your application to load the connector SWF, and the file DOES exist, it loads. Otherwise, if fails silently.
How does the app know where to get the connector SWF? YOU tell it through the interface (Xray interface where you take snapshots - physically type it in), which tells your application the URL for the connector.
So, there's no information that's published in any swf at all. If someone caches your SWF's and views them with ASV, they get nada/nothing. The developer has to know the URL of the connector or it's all over.
So, no proprietary information is ever in any of the SWF's.
Have I missed something in this scenario? thoughts?
osflash mailing list
[email protected]
http://osflash.org/mailman/listinfo/osflash_osflash.org
--
~~~~~~~~~~~~~~~~~~~~~~~~
Rob Bateman - Flash Product Manager
BBC News Interactive
Tel: 0208 6248692
Mob: 07714 329073
[EMAIL PROTECTED]
~~~~~~~~~~~~~~~~~~~~~~~~
_______________________________________________
osflash mailing list
[email protected]
http://osflash.org/mailman/listinfo/osflash_osflash.org
--
John Grden - Blitz
_______________________________________________ osflash mailing list [email protected] http://osflash.org/mailman/listinfo/osflash_osflash.org
