Flex / Air obfuscation [closed]

Question

I've written (most of) an application in Flex and I am concerned with protecting the source code. I fired up a demo of Trillix swf decompiler and opened up the swf file that was installed to my Program Files directory. I saw that all of the actionscript packages I wrote were there. I'm not too concerned with the packages, even though there is a substantial amount of code, because it still seems pretty unusable without the mxml files. I think they are converted to actionscript, or atleast I hope. However, I would still like to explore obfuscation.

Does anyone have any experience with Flash / Actionscript 3 / Flex obfuscators? Can you recommend a good product?

Answer 1

Here's what I would do.

• Compile your application to a SWF file. Then encrypt the SWF using AES.

• Make a "wrapper" application that loads the encrypted SWF into a ByteArray using URLLoader

• Use the as3crypto library to decrypt the swf at runtime.

• Once decrypted, use Loader.loadBytes to load the decrypted swf into the wrapper application.

This will make it a lot harder to get your code. Not impossible, but harder.

For AIR applications you could leave the SWF encrypted when delivering the application to the end-user. Then you could provide a registration key that contains the key used to decrypt the SWF.

Also, here is a link to an AS3 obfuscator. I am not sure how well it works though. http://www.ambiera.com/irrfuscator/index.html

Answer 2

The procedure suggested by maclema will not really stop any attacker from obtaining the source - the "wrapper application" will need to be unencrypted so the attacker will be able to find out that you use AES (or any other algorithm) and he will obtain the decryption key in a similar way (because it needs to be in plaintext somewhere). Once he has this, he will be able to decrypt your SWF file easily.

The only reliable solution (well...) is some kind of obfuscator - we use Amayeta which works for Flex in the latest version - please see http://www.amayeta.com/software/swfencrypt/ .

Answer 3

Well, in my opinion, the easiest and safest solution is a mix of maclema and Borek answer:

Obfuscating code can be a big headach if you did not include it in your process from the start and if your aplplication is quite big: it's likely that obfuscation make your application corrupted if you used remote packages (and did not declare this to the obfuscator) if you used to many unTyped variables in Objects or dynamic classes ....

So: if you do maclema's solution on your big application and use obfuscation on your wrapper (which is a small app likely to be very easy to obfuscate) you're code will be the safest and the hasle the least. Only a very angry pirate would take the time to reverse engineer the obfuscation to then decrypt the package .... Well if someone wants your application code soo bad it's either CIA related or you're already very rich (or both)

thank you all for your answers

Answer 4

I recently released an iOS and Android game using Flash. I looked around the internet for a good free program to protect the source code in my SWF and couldn't find anything so I wrote one. It's still in development and it's "use at your own risk" but it worked for me.

It's released on github. Check it out and let me know what you think.

https://github.com/Teesquared/flasturbate

I uploaded a windows binary but I recommend you follow the instructions to build it yourself if you want to give it a try.

This obfuscator works directly on the SWF file. It currently only renames symbols but it is built on a framework that could support altering bytecodes in the future.