[Flashcoders] is imported db text safe from decompilers?
Good day all, To test my Flash site, I downloaded the free version of Sothink SWF Decompiler and was surprised at how much it was able to obtain from my swf - even the AS files in a protected folder on the server! Impressive in its own way... I have used amfphp to import text from a mysql database. This text did not appear in the decompiler. Is imported database text safe from a swf decompiler? -Webmaster Mack ___ Flashcoders mailing list Flashcoders@chattyfig.figleaf.com http://chattyfig.figleaf.com/mailman/listinfo/flashcoders
Re: [Flashcoders] is imported db text safe from decompilers?
To test my Flash site, I downloaded the free version of Sothink SWF Decompiler and was surprised at how much it was able to obtain from my swf - even the AS files in a protected folder on the server! Impressive in its own way... I have used amfphp to import text from a mysql database. This text did not appear in the decompiler. Is imported database text safe from a swf decompiler? Yes, but it can easily be viewed as it's coming across the wire using packet sniffers or other similar tools. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ Fig Leaf Software provides the highest caliber vendor-authorized instruction at our training centers in Washington DC, Atlanta, Chicago, Baltimore, Northern Virginia, or on-site at your location. Visit http://training.figleaf.com/ for more information! ___ Flashcoders mailing list Flashcoders@chattyfig.figleaf.com http://chattyfig.figleaf.com/mailman/listinfo/flashcoders
[Flashcoders] is imported db text safe from decompilers?
I should have mentioned that I am also using a SSL certificate to encrypt traffic to and from the site. Doesn't this deter packet sniffers? -Webmastermack -- Yes, but it can easily be viewed as it's coming across the wire using packet sniffers or other similar tools. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ ___ Flashcoders mailing list Flashcoders@chattyfig.figleaf.com http://chattyfig.figleaf.com/mailman/listinfo/flashcoders
Re: [Flashcoders] is imported db text safe from decompilers?
This won't solve the issue, ssl certs do encrypt data, but they are not meant to encrypt the data so that it is unreadable to the end user... they are meant so that if I am conducting a transaction online, it encrypts all the data so that Bob over in Arkansas can't jack the posted fom data. So, if I am looking at the net stream, through a common tool like FireBug, I will definitely be able to see all the data going to and from flash player. - Taka On Wed, May 13, 2009 at 12:32 PM, webmastermack webmasterm...@yahoo.com wrote: I should have mentioned that I am also using a SSL certificate to encrypt traffic to and from the site. Doesn't this deter packet sniffers? -Webmastermack -- Yes, but it can easily be viewed as it's coming across the wire using packet sniffers or other similar tools. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ ___ Flashcoders mailing list Flashcoders@chattyfig.figleaf.com http://chattyfig.figleaf.com/mailman/listinfo/flashcoders ___ Flashcoders mailing list Flashcoders@chattyfig.figleaf.com http://chattyfig.figleaf.com/mailman/listinfo/flashcoders
Re: [Flashcoders] is imported db text safe from decompilers?
I should have mentioned that I am also using a SSL certificate to encrypt traffic to and from the site. Doesn't this deter packet sniffers? It prevents third parties from monitoring network traffic. It doesn't prevent either endpoint (client or server) from monitoring network traffic. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ Fig Leaf Software provides the highest caliber vendor-authorized instruction at our training centers in Washington DC, Atlanta, Chicago, Baltimore, Northern Virginia, or on-site at your location. Visit http://training.figleaf.com/ for more information! ___ Flashcoders mailing list Flashcoders@chattyfig.figleaf.com http://chattyfig.figleaf.com/mailman/listinfo/flashcoders
[Flashcoders] is imported db text safe from decompilers?
Good points have been raised. Thank you for quick your feedback! Does anyone have recommendations for keeping text data as safe as possible? Is there a different track I should be taking? (I am open to leaving the Flash environment as well) -Webmaster Mack ___ Flashcoders mailing list Flashcoders@chattyfig.figleaf.com http://chattyfig.figleaf.com/mailman/listinfo/flashcoders
Re: [Flashcoders] is imported db text safe from decompilers?
If you are worried about the client accessing your data outside of the player, that you just have to live with it; for, if someone is good enough they will find a way. For example: -If you are using the browser's ssl capability, I would just create a proxy for the browser(thanks for the slap on the head Dave). if you encrypt it directly from the flash player that is a little safer; yet: -If you generate the swf and the keys are in the swf when downloaded, the swf can be decompiled and the keys easily found. -If you are generating the keys on the fly in the swf, you have to worry about a person that can spy on variables in memory. There is a way where you encrypt variables in memory; yet, there is still that instance where the data is in open text before being translated and then encrypted. Security in flash doesn't really exist; however, you can put so many hurdles that would take a hacker forever, and forcing them to lose interest; yet, persistence and resistance are tied hand to hand so that thinking could backfire. The only real security exists for languages on machines that randomly generate keys at the hardware level and the code that runs on them is deciphered at runtime; yet, you would also need several incorruptible and extremely heavily armed guards making sure that a hardware engineer doesn't get within 10 miles of it; however, cut off their food/air supply and you have access to the machines. If you are at an end point you have access to the data. Waiting for Dave to rip into my post, Anthony webmastermack wrote: I should have mentioned that I am also using a SSL certificate to encrypt traffic to and from the site. Doesn't this deter packet sniffers? -Webmastermack -- Yes, but it can easily be viewed as it's coming across the wire using packet sniffers or other similar tools. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ ___ Flashcoders mailing list Flashcoders@chattyfig.figleaf.com http://chattyfig.figleaf.com/mailman/listinfo/flashcoders ___ Flashcoders mailing list Flashcoders@chattyfig.figleaf.com http://chattyfig.figleaf.com/mailman/listinfo/flashcoders
Re: [Flashcoders] is imported db text safe from decompilers?
Hi, It's more about risk assessment and minimising it than how to keep it safe. If your data is so sensitive that joe public should not see it then allowing access to the data over the internet is probably a bad thing to do... Otherwise, if it's not hugely sensitive, perhaps personal information or commercial information that you need to restrict from just anyone using, you can try to reduce the risk of the data falling into the wrong hands by restricting access to it - e.g. password protect the data. Then your weakest link is the people themselves (assuming your code does not have bugs). If you just have a system that does not let the people accessing it change the text data or their account details, then that can be made safe reasonably easily - simplest way is basic HTTP Authentication using htaccess / htpasswd on Apache to restrict access to the url's with Flash, etc. on. Once you start allowing people to change things like content and passwords, etc., then it becomes more risky - more possibility of bugs / exploits cropping up. So, you need to weigh up how bad it is if your text gets out (cost / reputation / business wise) vs how strong you need to make your security (money / time programming it in). Someone will always find a way to break in, if you can keep that to an acceptable minimum, you are on a winner. AMFPHP did support some sort of authentication system out of the box, but I don't know much about this - check out the doc's... Glen webmastermack wrote: Good points have been raised. Thank you for quick your feedback! Does anyone have recommendations for keeping text data as safe as possible? Is there a different track I should be taking? (I am open to leaving the Flash environment as well) -Webmaster Mack ___ Flashcoders mailing list Flashcoders@chattyfig.figleaf.com http://chattyfig.figleaf.com/mailman/listinfo/flashcoders -- Glen Pike 01326 218440 www.glenpike.co.uk http://www.glenpike.co.uk ___ Flashcoders mailing list Flashcoders@chattyfig.figleaf.com http://chattyfig.figleaf.com/mailman/listinfo/flashcoders
Re: [Flashcoders] is imported db text safe from decompilers?
Encrypt your text using a super crazy encryption algorithm. Then, create a swc that contains the key and algorithm to decrypt the text. Then, encrypt that swc using another super crazy encryption algorithm. Load the swc at runtime as raw bytes, decrypt it in memory, and then instantiate it as the class you need. Decrypt the text. Null out the swf instance and the bytes. Force the gc to run. That's about as protected as you can get. Obviously, you'll need a pretty strong challenge response system in place to get the shared key to decrypt the swc in memory. Don't know how to do this? Watch this: http://onflash.org/ted/2008/10/360flex-sj-2008-encrypting-flex.php ___ Flashcoders mailing list Flashcoders@chattyfig.figleaf.com http://chattyfig.figleaf.com/mailman/listinfo/flashcoders
Re: [Flashcoders] is imported db text safe from decompilers?
Very interesting video. Thanks for the info! -Mack --- On Wed, 5/13/09, Steven Sacks flash...@stevensacks.net wrote: From: Steven Sacks flash...@stevensacks.net Subject: Re: [Flashcoders] is imported db text safe from decompilers? To: Flash Coders List flashcoders@chattyfig.figleaf.com Date: Wednesday, May 13, 2009, 3:58 PM Encrypt your text using a super crazy encryption algorithm. Then, create a swc that contains the key and algorithm to decrypt the text. Then, encrypt that swc using another super crazy encryption algorithm. Load the swc at runtime as raw bytes, decrypt it in memory, and then instantiate it as the class you need. Decrypt the text. Null out the swf instance and the bytes. Force the gc to run. That's about as protected as you can get. Obviously, you'll need a pretty strong challenge response system in place to get the shared key to decrypt the swc in memory. Don't know how to do this? Watch this: http://onflash.org/ted/2008/10/360flex-sj-2008-encrypting-flex.php ___ Flashcoders mailing list Flashcoders@chattyfig.figleaf.com http://chattyfig.figleaf.com/mailman/listinfo/flashcoders ___ Flashcoders mailing list Flashcoders@chattyfig.figleaf.com http://chattyfig.figleaf.com/mailman/listinfo/flashcoders