I had no idea the security was in place. Let's hope it holds up.

Thanks for this...and for all your other helpful advice.

cheers...B

You cannot read the other application sandbox but bar file is not encrypted. So if somebody intercepting the network when file is uploading or get a hold of you bar file it is possible to read it.

Also it is not encryted in the playbook filesystem itself - so if you take playbook apart and extract the storage unit it is possible to read it from raw data blockes on the storage device (it has to be adavanced hacking though).

Ha, there's no security at all...

You can literally FTP right into your playbook, user: root, pass:root, and browse every single SWF on there, decompiling them to your hearts content.

Yes, this is a big topic, unfortunately it is WAY to easy for people to rip your source code.

It would be awesome if RIM could provide this, but for now your best option is something like this, which will run you $150-$200:
http://www.amayeta.com/software/swfencrypt/

Okay, so assuming I want to do that, what are the steps I need to take, start to finish? I'm using Flash Builder 4 so...Export a signed .bar? Open it, obfuscate the swf, and...repackage/re-sign it using the command line?

What would the process be?

I'm looking at a code-level obfuscator like http://www.kindisoft.com/. A bit pricey, though.

No I doubt that would work, once it's signed I don't think you can just open it... maybe, but I doubt it.

Your flow would basically be:

- Generate SWF from FlashBuilder (this is done automatically when you Build)

- Replace generated swf in bin-debug, with the obfuscated swf, making sure the name is exactly the same

- Package

That would work fine when packaging via command line. But I have no idea if it would work when you package a signed release build using the GUI in FlashBuilder.

The question is, when exporting a release build, does it regenerate the SWF, or does it use the one that's already there. I think it regenerates it... in which case I dunno, you might have to sign/[ackage via command line, which should allow you to specify any SWF you want.

If I were to do this, I would probably set up an ANT script that automated the whole process... assuming your chosen obfuscator has an executable you can run with command line... 

@shawnblais, where do you get this information?  (Edit: The part about "You can literally FTP right into your playbook, user: root, pass:root".)

The original simulator was basically that open.

The real thing, and in fact recent simulators, are far more secure.  Ignoring the fact that with the simulator, you can of course directly access the filesystem image, but I challenge you to get in any other way and extract a SWF file from any BAR that you load onto it, unless you're using the -devMode option during packaging.

Please correct what I believe is a gross misrepresentation of the facts, or provide a reference for the information if you believe it to be true.

---

elena_laskavaia wrote:

So if somebody intercepting the network when file is uploading or get a hold of you bar file it is possible to read it.

---

Elena, can you confirm that the connection between the PlayBook and App World, for a download, is not using a secure socket (TLS/SSL/HTTPS)?

That would strike me as being a bit counterproductive to a lot of the security measures, but more importantly it does mean that even with the PlayBook, any licensing model except dynamic/pooled licensing is going to be prone to massive piracy, and may have other security implications as well.  Furthermore, since there is as yet inadequate documentation for us to implement proper dynamic licensing support in our PlayBook apps, I'm at a loss to understand how anyone could yet protect their PlayBook apps in any effective manner.