Security Soapbox – Decompile Flash/Flex
June 25, 2009 Tags: Adobe, Adobe AIR, decompiler flash, Flash, Flex, security
Category: AIR, Flash, Flash Platform, Flex, RIA 3 Comments 
Having built/architected/developed/consulted many Adobe Flex applications and being one of the first certified Flex instructors in the world, I’ve seen a lot of Flex applications. Some good, some bad.
But no matter how many applications or who I’m talking to, I always stress the importance of securing proprietary information. By securing, I mean don’t put it in your application. Unless your are encrypting your application and decrypting at runtime, you are subject to a decompiler exposing your secrets.
There are Flash decompilers that will take any SWF and give you the source:
Trillix Flash Decompiler is one of the best commercial tools I’ve found.
I’ve even seen guys decompile, make changes and then recompile a Flex app. This is scary! Say goodbye to licensing software in Flash.
But HP just released a tool that has caught my eye as well. (Note: I have not tested this tool) It claims to decompile and test for security weaknesses. It’s called SWFScan and it’s a free Windows based tool from HP.
If security in a Flex or Flash based application is a concern for you, you must look at these tools. If security is not your concern, look anyway.
I don’t know if I’d go so far as to say goodbye to licensing software in Flash, just that I wouldn’t keep the guts of the licensing system inside the flash player. The article I wrote highlighting how it’s possible to decompile, make changes and recompile was mainly to wake people up to the possibilities that exist out there and to highlight how Nitro-LM’s approach to licensing software is fundamentally different and not as susceptible to this type of attack.
Decompilers have existed in Flash since the earliest days. “Say goodbye to licensing software in Flash”? When did we say hello?