I think there used to be a technique for making inner code more secure by loading in controller classes at runtime from the server instead of embedding them in the source. However that iOS loading restriction would probably hamper this. I think that was more for use with Flash player.
David -----Original Message----- From: Sean Thayne <[email protected]> To: [email protected] Sent: Wed, 19 Feb 2014 2:40 PM Subject: Re: Air apps easily decompiled and hacked It looks like every var declared inside a function is obscured/renamed. But all class vars(regardless of protected, public, private) are not obscured. They keep their original naming. Which would make sense if your compiling a swc, but not if your compiling a final application (I would think). Maybe it was created this way for RSLs? -Sean Thayne On Wed, Feb 19, 2014 at 1:33 PM, Gordon Smith <[email protected]> wrote: > Are you sure the others that aren't obscured are locals? I'd bet they're > instance variables. > > - Gordon > > -----Original Message----- > From: Sean Thayne [mailto:[email protected]] > Sent: Wednesday, February 19, 2014 12:24 PM > To: [email protected] > Subject: Re: Air apps easily decompiled and hacked > > Ya, you right Alex, I re-checked, and there are not comments. It does keep > trace() calls though. > > I also noticed that it does obscure some local vars into _loc_# vars, and > but it doesn't obscure others, which I think is kinda weird. > > -Sean Thayne > > > On Wed, Feb 19, 2014 at 11:47 AM, Alex Harui <[email protected]> wrote: > > > Comments are easily viewable? I don't think so. It also depends on > > whether you have the original source files or not. For Google > > Closure, if you have a source map, you can get back to the source as > well. > > > > Try dumping out an export release version of one of your SWFs. Sure > > you can get back from the byte code to the basic algorithm, but I > > don't think it is that much easier than deciphering a minified js or > > even looking at intel byte code in an EXE file. > > > > -Alex > > ________________________________________ > > From: Sean Thayne <[email protected]> > > Sent: Wednesday, February 19, 2014 8:21 AM > > To: [email protected] > > Subject: Re: Air apps easily decompiled and hacked > > > > I'm actually more concerned about the plain readability of the AS3, > > even comments are easily viewable. Where as a JS site that has been > > compile with Google Closures is minimized and heavily obscured. I feel > > like it would be very easy to steal someones hard work. > > > > -Sean Thayne > > > > > > On Wed, Feb 19, 2014 at 9:18 AM, Gary Yang <[email protected]> > wrote: > > > > > Client side can not be trusted, server api should always be the > > > security gate! > > > > > > After all there are certain applications that can encrypt Flash > > > applications, Javascript application is just plain text!!! > > > > > > > > > On Wed, Feb 19, 2014 at 11:08 AM, Sean Thayne <[email protected]> > wrote: > > > > > > > Anybody else concerned about decompilers like SoThink? > > > > > > > > http://www.ericzhang.me/cracking-adobe-air-applications/ > > > > > > > > -Sean Thayne > > > > > > > > > >
