1

I have an alchemy compiled swc which contains methods to perform certain key algorithms. These methods should only return values only if user is authorized(bought license from online service) for security purpose. So I am planning to add another SWC on top of this, which have all the licensing code stuff. But when I import the Alchemy generated swc inside my custom swc, all the methods of alchemy are exposed. Any ideas how to restrict their access. i.e. I want these methods to be used only with in custom component, not to the ones who uses the custom component.

mobdev999
  • 27
  • 5

2 Answers2

1

Welcome to the world of security in flash, where, there is no such thing. The problem is that the client has your code, always. Therefore you cannot employ any tactic to always protect your code from the client. Even encrypting and decrypting your binaries, the code is always in memory, or the key. This is one reason why next generation gaming companies are trying to write games that run on servers, and just provide a remote UI to end users. So basically the only way you're really going to protect anything is by writing the functionality on server side. See this comment for more:

What is the best way to stop people hacking the PHP-based highscore table of a Flash game

Also I just want to say I'm not just talking out my ear here. I once developed a real-time binary encryption/decryption scheme in alchemy for flash and tried to be the genius that made flash secure through such a service. Although yes perhaps such a thing could protect content from a basic user, you're always going to have your binaries and thus your source code OR at the very least your cryptographic algorithm + key exposed to the end user, so eventually someone is going to come along and compromise your system.

Community
  • 1
  • 1
  • thanks for the detailed info and link, but the server-client solution is something I want to prevent in this application. This is an AIR app finally and the calculations I get from Alchemy should be live, so is my decision to reduce server requests/responses. – mobdev999 May 16 '11 at 04:55
  • @paleozogt makes a good point. Also if you're up to the task and have SSL capability, you could create a basic file encryption/decryption algorithm in flash, load your swc at runtime, grab the key over SSL, decrypt the SWC, load it and destroy the key from memory immediately. Even still though someone savvy enough could still compromise this system, so alternatively you could have the decryption take place on the server side and stream the swc bytes down to flash over a socket and load the object from memory using a one time key. –  May 20 '11 at 16:10
  • About my above suggestion, I've tried this myself and as long as the file is relatively small (5 megs or less) and your key isn't ridiculously long, the performance client side is very good. –  May 20 '11 at 16:11
  • very true that server side techniques do work well in this kind of client solution, but this is little going off topic, anyways thanks for all who have given a thought on this and tried to explain the possibilities. But exact requirement is not served. – mobdev999 May 23 '11 at 08:11
1

Ascension Systems' answer is correct: you can't prevent theft of code running on the client. The best you can do is obfuscate.

In that vein, you could use a C/C++ code obfuscator on your Alchemy source before compiling it. This would at least make the Alchemy functions (FSM_Z18blahblahblah, etc) gibberish and harder to figure out.

paleozogt
  • 6,393
  • 11
  • 51
  • 94
  • obfuscation is a good method of confusing the hackers, though it really doesn't hack-proof your swc. Anyways, I do understand that anything in flash that goes to client is hackable, unless I make it to some AIR or such – mobdev999 May 23 '11 at 08:14