Reputation: 993
Protect Air application content
On Mac Os, I see that all content on my application can be readable (mxml and as files). Indeed with right clic on application, you can see all application content and so all files. So It's very dangerous for a company to distribute air application like that. Is a solution exist to protect those files.
Thanks
Upvotes: 1
Views: 1487
Answers (2)
Reputation: 10067
Although there are loads of decompilers which can read all your code. There is one guy who came up with encryption solution it might worth a try. (It's for Desktop AIR applications)
Have a look at this post: http://forums.adobe.com/message/3510525#3510525
Quoted text (in case of page being erased)
The method I use will allow you encrpyt most of your source code using a key that is unique to every computer. The initial download of my software is a simple air app that does not contain the actual program. It is more like a shell that first retreaves a list of the clients mac addresses and the user entered activation code that is created at time of purchase. This is sent to server and logged. The activation code is saved to a file client side. At the server the mac address and activation key are used to create the encryption key. The bulk of the program code is then encrypted using that key, then divided into parts and sent back to the client. The client puts the parts back together and saves the encrypted file. At runtime the shell finds the mac address list and the activation key, then using same method as server gets the encryption key and decrypts the program file. Run simple check to make sure it loaded. For encyption i found an aes method that works in php and javascript.
Next I use this code to load the program
var loader = air.HTMLLoader.createRootWindow(true, options, true, windowBounds);
loader.cacheResponse=false;
loader.placeLoadStringContentInApplicationSandbox=true;
loader.loadString(page);
This method makes it very difficult to copy to another computer although since I wrote it i know there are some weeknesses in the security but to make it harder i obv. the shell code. It at least keeps most from pirating. However there are issues with this that I have found. First i was using networkInfo to get the list of mac address but this failed in a test windows XP computer. When the wireless was off it did not return the MAC. I was not able to recreate this in VISTA or 7. Not sure if it could happen. Was not tested on a mac computer. To fix this (at least for windows). I wrote a simple bat file that gets the MAC list, then converted it to an exe which is included. This does force you to create native installers. call the exe with this
var nativeProcessStartupInfo = new air.NativeProcessStartupInfo();
var file = air.File.applicationDirectory.resolvePath("findmac.exe");
nativeProcessStartupInfo.executable = file;
process = new air.NativeProcess();
process.start(nativeProcessStartupInfo);
process.addEventListener(air.ProgressEvent.STANDARD_OUTPUT_DATA, onOutputData);
process.addEventListener(air.ProgressEvent.STANDARD_ERROR_DATA, onErrorData);
process.addEventListener(air.NativeProcessExitEvent.EXIT, onExit);
process.addEventListener(air.IOErrorEvent.STANDARD_OUTPUT_IO_ERROR, onIOError);
process.addEventListener(air.IOErrorEvent.STANDARD_ERROR_IO_ERROR, onIOError);
put the list together in the onOutputData event using array.push and continue on the onExit event using the findmac.exe will return the same info every time (that i know of) beware thought that using the native install will break the standard application update process so you will have to write your own. My updates are processed the same way as above. This is contents of the .bat file to get the mac list
@Echo off
SETLOCAL SET MAC = SET Media = Connected
FOR /F "Tokens=1-2 Delims=:" %%a in ('ipconfig /all^| FIND "Physical Address"') do @echo %%b ENDLOCAL
using this method makes it simple to implement at try before you by method. at runtime if no activation code get try me version from server instead of full version.
Upvotes: 1
Reputation: 498
It is not possible to protect 100% your code. After all, if the computer can run it, it can be decompiled, regardless of the language. However, you can make it more difficult.
One method is to encrypt the swf as stated in another answer. But all the "attacker" needs to do is find the key and then they can decrypt all your swfs.
Another method is to use obfuscators. Obfuscators don't depend on encryption, nor they prevent decompiling, they just make it harder to understand what gets decompiled.
For example if you had a method called saveInvoice() the obfuscator would rename it to aa1() or something like that, so it would make it diffucult to guess what that function does. It basically turns everything into spaguetti code.
You can use a decompiler to see what can be obtained from a SWF file (which is alot), and play with obfuscators to see if they meet your espectations.
An example of one is http://www.kindi.com/ which I'm not endorsing btw, it just shows up quickly on google.
Upvotes: 1
Related Questions
- encrypting assets (video files) in Adobe AIR
- How would you secure data in your AIR application?
- Using a Flex AIR application with the Flash browser plugin
- Air app swf assets in ApplicationStorageDirectory produce Sandbox Violation
- protecting the URL where flash/flex app can be executed
- Security behaviour in Adobe Air
- File Protection in Adobe AIR (Flex)
- How do I protect my Flash/Flex SWF with code?
- Ways to protect a Flex app on a public website
- How to restrict a Flex application to only run from my website?