5

I need my Flash client to communicate with a server securely (through binary sockets). For this, I was thinking of embedding a pre-shared key inside the AS3 code and exchanging XORed data through a custom protocol.

I am told that SWF decompilers do a good job at making all embedded code clearly apparent and readable. Does this mean that I can't really hide my key?

If this method is impractical, what other options are there? I have tried as3crypto, only to find that it's full of shortcomings and lacks serious documentation.

Bill Kotsias
  • 3,038
  • 4
  • 32
  • 57
  • I believe the best you're going to get is using SSL as a secure protocol for transmitting the data. Note this still does not prevent a user from setting up a proxy that accepts your certificate then issues another to the client in order to decode the transmission so it's not by any means full proof either, but it is the most secure solution for client/server communication that at least will impede the ability to hack the system. That is it will keep your end users/server communication safe from outsiders but doesn't protect you from your end users. – shaunhusain Jun 26 '12 at 23:04
  • As the answer below eludes to a man in the middle capture of the communication between the client and the server will ultimately allow someone to write a client that generates the same kind of communication as is seen during mim monitoring. Look at how the Kinect was hacked as an example, the protocol wasn't published nor were the signals for starting up the stream of data, but one USB dongle and a data dump later and you've got guys in Brazil reverse engineering the data stream in < 24hrs. Another example Cain and Able here http://www.youtube.com/watch?v=ZNApxghIQLw – shaunhusain Jun 26 '12 at 23:13
  • Overall point being the server should never trust communication that comes into it from the outside entirely. The only thing you can truly secure is the code that executes on the server and really the best way to keep that secure is for the server to be in a physically secure location and for it not to be hooked into any networks that are unnecessary. Best of luck... good question, just no good answer. – shaunhusain Jun 26 '12 at 23:15

1 Answers1

4

You cannot hide your key at all - SWF is totally untrusted, can be easily decompiled. It's pretty difficult to deal with security with SWF's because they run on the client and are not trusted.

It might depend specifically on what you are trying to accomplish with secure communication. For instance, if you are trying to secure a high-score system that is pretty much impossible because the game runs on the client (the SWF) and they can manipulate it to spit out any score they want to the server. Here is a good read on this: What is the best way to stop people hacking the PHP-based highscore table of a Flash game

If you can use the SWF only as a front-end UI and all logic takes place on the back-end, then you can secure your application (using the above highscore example, if the game was not an AS3 game but actually ran on the server itself, it would be a lot easier to secure, because the backend is trusted and cannot be modified or viewed by a user), but if the logic takes place on the SWF then you are pretty much out of luck.

Community
  • 1
  • 1
Pixel Elephant
  • 19,255
  • 7
  • 64
  • 81