Welcome!

Welcome to the official BlackBerry Support Community Forums.

This is your resource to discuss support topics with your peers, and learn from each other.

inside custom component

Adobe AIR Development

Reply
Developer
blueinc
Posts: 109
Registered: ‎12-04-2008
My Device: Playbook, Torch 9800, Storm 9530, Tour 9630
Accepted Solution

Obfuscate your SWF? What's the process flow?

I'm thinking it's probably a good idea to obfuscate my swf before delivering it to App World. Is anyone doing this yet? There seems to be a lot about this on the Java Dev forum but nothing here.

I've never used obfuscation and don't know what the process would be to deliver a completely signed, sealed and delivered .bar to App World. Could you walk me through it?

 

Thank you in advance,

Brian

PlayBook Apps: Sudoku Pro
Smartphone Apps: Compass | MultiClock
Please use plain text.
Developer
jtegen
Posts: 6,541
Registered: ‎10-27-2010
My Device: HTC One, PlayBook, LE Z10, DE Q10

Re: Obfuscate your SWF? What's the process flow?

We've been told that there is no way a user can get to the SWF because of a secured sand box.

 

Now we do obfuscate SWF files for one of my clients and it can be a time consumer, pain in the b*t process to properly secure a SWF and allow it to work properly.  It is a back and forth effort to change settings and then do testing to make certain it still works.

 

For me, I will not do it for the PB.

Please use plain text.
Developer
blueinc
Posts: 109
Registered: ‎12-04-2008
My Device: Playbook, Torch 9800, Storm 9530, Tour 9630

Re: Obfuscate your SWF? What's the process flow?

I had no idea the security was in place. Let's hope it holds up.

Thanks for this...and for all your other helpful advice.

 

cheers...B

PlayBook Apps: Sudoku Pro
Smartphone Apps: Compass | MultiClock
Please use plain text.
BlackBerry Development Advisor
elena_laskavaia
Posts: 417
Registered: ‎10-27-2010
My Device: PlayBook

Re: Obfuscate your SWF? What's the process flow?

You cannot read the other application sandbox but bar file is not encrypted. So if somebody intercepting the network when file is uploading or get a hold of you bar file it is possible to read it.

Also it is not encryted in the playbook filesystem itself - so if you take playbook apart and extract the storage unit it is possible to read it from raw data blockes on the storage device (it has to be adavanced hacking though).

Please use plain text.
Developer
shawnblais
Posts: 439
Registered: ‎10-25-2010
My Device: Not Specified

Re: Obfuscate your SWF? What's the process flow?

Ha, there's no security at all...

 

 

You can literally FTP right into your playbook, user: root, pass:root, and browse every single SWF on there, decompiling them to your hearts content.

 

Yes, this is a big topic, unfortunately it is WAY to easy for people to rip your source code.

 

It would be awesome if RIM could provide this, but for now your best option is something like this, which will run you $150-$200:
http://www.amayeta.com/software/swfencrypt/

 

Please use plain text.
Developer
blueinc
Posts: 109
Registered: ‎12-04-2008
My Device: Playbook, Torch 9800, Storm 9530, Tour 9630

Re: Obfuscate your SWF? What's the process flow?

Okay, so assuming I want to do that, what are the steps I need to take, start to finish? I'm using Flash Builder 4 so...Export a signed .bar? Open it, obfuscate the swf, and...repackage/re-sign it using the command line?

What would the process be?

I'm looking at a code-level obfuscator like http://www.kindisoft.com/. A bit pricey, though.

PlayBook Apps: Sudoku Pro
Smartphone Apps: Compass | MultiClock
Please use plain text.
Developer
shawnblais
Posts: 439
Registered: ‎10-25-2010
My Device: Not Specified

Re: Obfuscate your SWF? What's the process flow?

[ Edited ]

No I doubt that would work, once it's signed I don't think you can just open it... maybe, but I doubt it.

 

Your flow would basically be:

- Generate SWF from FlashBuilder (this is done automatically when you Build)

- Replace generated swf in bin-debug, with the obfuscated swf, making sure the name is exactly the same

- Package

 

That would work fine when packaging via command line. But I have no idea if it would work when you package a signed release build using the GUI in FlashBuilder.

 

The question is, when exporting a release build, does it regenerate the SWF, or does it use the one that's already there. I think it regenerates it... in which case I dunno, you might have to sign/[ackage via command line, which should allow you to specify any SWF you want.

 

If I were to do this, I would probably set up an ANT script that automated the whole process... assuming your chosen obfuscator has an executable you can run with command line... 

Please use plain text.
Developer
TheDarkIn1978
Posts: 409
Registered: ‎12-10-2010
My Device: PlayBook

Re: Obfuscate your SWF? What's the process flow?

i believe secureSWF is by far the most popular solution.

 

here's an interesting thread about it on SO

 

i use the command line to package and sign my apps (since i use Flash CS5) so i'm not familiar with how signing is executed with Flash Builder.

 

1.  publish your swf

2.  obfuscate the swf

3.  package and sign the obfuscated swf using command line tools


PlayBook Applications:
Drop Swatch
Please use plain text.
Developer
peter9477
Posts: 6,473
Registered: ‎12-08-2010
My Device: PlayBook, Z10

Re: Obfuscate your SWF? What's the process flow?

[ Edited ]

@shawnblais, where do you get this information?  (Edit: The part about "You can literally FTP right into your playbook, user: root, pass:root".)

 

The original simulator was basically that open.

 

The real thing, and in fact recent simulators, are far more secure.  Ignoring the fact that with the simulator, you can of course directly access the filesystem image, but I challenge you to get in any other way and extract a SWF file from any BAR that you load onto it, unless you're using the -devMode option during packaging.

 

Please correct what I believe is a gross misrepresentation of the facts, or provide a reference for the information if you believe it to be true.


Peter Hansen -- (BB10 and dev-related blog posts at http://peterhansen.ca.)
Author of White Noise and Battery Guru for BB10 and for PlayBook | Get more from your battery!
Please use plain text.
Developer
peter9477
Posts: 6,473
Registered: ‎12-08-2010
My Device: PlayBook, Z10

Re: Obfuscate your SWF? What's the process flow?

 


elena_laskavaia wrote:

So if somebody intercepting the network when file is uploading or get a hold of you bar file it is possible to read it.


 

Elena, can you confirm that the connection between the PlayBook and App World, for a download, is not using a secure socket (TLS/SSL/HTTPS)?

 

That would strike me as being a bit counterproductive to a lot of the security measures, but more importantly it does mean that even with the PlayBook, any licensing model except dynamic/pooled licensing is going to be prone to massive piracy, and may have other security implications as well.  Furthermore, since there is as yet inadequate documentation for us to implement proper dynamic licensing support in our PlayBook apps, I'm at a loss to understand how anyone could yet protect their PlayBook apps in any effective manner.


Peter Hansen -- (BB10 and dev-related blog posts at http://peterhansen.ca.)
Author of White Noise and Battery Guru for BB10 and for PlayBook | Get more from your battery!
Please use plain text.