Click to See Complete Forum and Search --> : Some security tips for flash

01-24-2001, 04:48 AM
I´m hoping this board will be really professional.
I´d tried to translate this following text from german in english.
It is a part of an article from an german "internet pro"

Additional security functions for flash files
1.disable caching

One method to protect the swf files is to disable the caching function of the browser.
You have to add followin metatags in the header of the HTML:
<META HTPP-EQUIV = „pragma“ content = „nocache“ >
<META HTPP-EQUIV = „expires“ content = „Thu, 1 January 1900 00:00:00 PST“>
For the date you can choose any time.

- The advantage is that no one can easily take your swf from temporary internet files.
- The disadvantage is that the user have to reload the swf at every new access.

2. wrong actionscript

Another method is a little bit more tricky and aims at a potentially hacker attack.
The trick is to place wrong action script in the movie to force the hacker to
identify the right code in order to look through the movie.
Very popular are deep hidden get-URL commands, which get relativ files from the server.
These files are invisible in the flash movie. Because the hacker don´t know this he has
To reconstruct the structure exactly.

3. URL-check

A simple way is the url-check. A little script in the movie check where the movie plays.
If the location is wrong an error message appear.
The script has the following structure:

Adress = this._urld;
Test = http://the domain.de/the swf.swf
If (adress == test){
gotoandplay (100)
At frame 100 is the error message.

4. hidden files

The last possibility is to create one movie as a dummy movie which loads the real movie.
The name of the real movie can be covered as a *.jpeg or any other file format. Flash doesn´t matter which termination the file has .

01-24-2001, 05:03 AM
Appart from the 1rst one (which can be very effective but of course I will not implement since I want my users to be able to enter my site at full speed! :D ), the rest look like an cool option! :D

however, if an experienced hacker wants to steal your work, there is simply no way you can avoid it. Still, not so professional hackers will find it trickier, so thx! :)


01-24-2001, 06:10 PM
Hi !

1. You can't disable caching - sorry :)
You can force browser always download .swf files from server, but not using that (http://www.macromedia.com/support/flash/ts/documents/prevent_caching.htm) stupid macromedia suggestions - it must be something like it (http://board.flashkit.com/board/showthread.php?threadid=87752), but it is still far from ideal. But you absolutely can't say browser not to store file in cache folder... It is true and we have to live with it :)
2. May be :) from 12 years hackers :) But not older :)
3. Good direction, but everybody will be able to read that "http://the domain.de/the swf.swf" inside .swf file and change it in any HEX editor for something more short.
4. This one is the only really good direction
And at last
5. You forget about http://www.buraks.com/asv/ :)

Generally: There is no way to protect your job, but if you will pay more attention to server scripts and make integration deeper (like loading all initialization variables from scripts and calling same scripts again from flash with some POST data , and they must give another (wrong) reply to that second call) can make life of "flash hackers" more hard :) But nothing more serious then "more hard" - sorry :)

01-24-2001, 09:03 PM
listen - I heard all these stories about people cracking swfs - so ..... I did it.

there, I said it.

In the interest to see how easy this was, I searched all these hackers IRC pages and warez and all this garbage, and finally found some software, cracked one of my swfs and guess what?

let them do it. Now, maybe I did something wrong, but all I got was a huge single timeline with (poor quality) pictures - all in individual keyframes, no AS and no real info.

???? Thoughts, opinions???

I always thought cracking meant viewing my precious code and such, but no, not with what I used -

I dont wish to get into the legalities here - I kept hearing about it, was curious on how much is myth, and cracked MY stuff (turns out its myth people - all myth)

???? or - has anyone heard its a whole lot more.

seems to me though, if this is all that comes out of it, you can do the same with File>import, and hey - even macromedia.com tells you that.