ActionScript 3.0 :: Secure SWFs In Same Domain Name?
Jan 25, 2010
I want to secure and to load two SWFs files from the same domain, does anyone have any examples and methods applying with allowDomain() that can be used to allow the SWFs to communicate and share data and functions.
how to make secure SWF files, so that decompilers like sothink won't be able to decompile these swf files at all. i have been assigned some research work to find out the stuff to make swf files highly secured
We are planning a desktop client application with Adobe AIR. The client app will be delivered to our customers with a database, which contains monthly updated marketing data provided by our company. As different customers will buy different sets of data from us, for example, a customer is only interested in marketing data in a specific product category, while another customer need all data in a certain region. After a customer installs this client app, new data will be emailed to the customer every month.
So, the requirement is to keep the data accessible only by the customer who bought it. After reading through AIR's secure local store and database encryption feature, I came up with the following design: each customer will have his own secret key (stored in AIR's secure local store), the secret key is used to encrypt the data that the customer has purchased. Of course, the monthly data that we sent to the customer will be encrypted using the same secret key. So my questions are: is AIR's database encryption and secure local store secure enough for this use case? If someone gets the encrypted database file, can he decrypt the DB?
I have an issue that is nearly identical to the poster of this thread, but this post is from 2007 and I think things might have changed since then.
To sum it up: I have a website with HTML files on Server A, and SWFs on Server B.
Users navigate to playgame.html (Server A) with MainMovie.swf (Server B) embedded in it.
MainMovie.swf is supposed to load a number of SWFs (from Server B) throughout. As far as I know they all need to be called with an absolute path, because a relative path will construct the path through the URL of the browser page which is still on Server A. Am I on the right path so far?
My MainMovie.swf literally calls hundreds of SWFs in hundreds of places and setting them all to absolute paths would take forever.
What other options do I have so that it all works on a remote server with relative URLs? MainMovie.swf is in a remote sandbox and can supposedly access files within its own domain, but it's the relative URLs that are killing me.
One solution I could think of is to load an html frame from Server B within playgame.html on Server A, and embed the SWF in there....
I'm building a Flash arcade system that people can deploy to their own websites, which loads its Flash content into a security sandbox. Basically, I'm interested in finding a way to prevent a loaded SWF from accessing the stage.
As you know, once an object in a loaded SWF has access to the stage, it can use event listeners to secure itself to the display list, circumvent Loader.unloadAndStop(), and potentially conduct malicious activities such as key logging. I'm looking to prevent that.
Flash automatically puts SWFs in a sandbox when they're loaded in a domain or subdomain that is different from the parent SWF's. However, the market I'm targeting with this arcade system will probably not have a clear grasp of these concepts, and it's very likely that they will load a SWF into the arcade from the same domain, and that SWF can be malicious. Therefore I'm trying to sandbox content loaded from the same domain as the loader SWF.
Yet another irritating technical issue, it's the first time I've tried loading assets from another server and it's not working.
Apparently having the loader context check policy file does nothing with SWFs, I've tried with and without, no difference.
I've tried Security.allowDomain("*"); and loading a crossdomain.xml file where the assets are located, and no joy. Every time I try it, I just get an error trying to load a class (that works fine from local SWFs).
I'm compiling from CS5 with access network selected. Also tried with Flex, same thing.
post the code for a working cross-domain securityfile that allows access only from the same domain as all the flashfiles and xml files are in?used to be easy in as2 but i think i dont know what i need to know about it in as3..
We are running FMS3 on Windows 2003 Server. Videos stream and play fine when inside our domain, but outside the domain the videos take anywhere from 20 or more seconds before playing.
After analizing the connections it was determined that the player is randomly trying to access ports until it gets to the one that works, but this is ONLY happening from people trying to view videos from outside our domain.
I have moved a web application from old domain to new domain. I cannot get Flash to engage. I have changed the domain in flash_images.php file to the new domain. I have a flash_box.swf file and I have a js file these are the only flash components that I see--old domain is e.g. www.example.com new domain is [URL]..I am not a flash developer, how do I get flash to work on the new domain?
I created some game and would like to let the users play it only on my domain, so to forbid to play it offline or put on some other site. Is there a way to do it? Somehow check domain or so?
My swf works fine when previewed locally but because of flash cross domain issues (link below) doesnt work live. [URL] Ive used a 'crossbrowser.php file to .load in xml but am not having success with the sendAndLoad command. [URL]
I have to make connection to the DB and Insert a row based on the data that the SWF sent me...I will need to make it so that the SWF->PHP part is secure by not letting users tamper with data.I don't want to use SSL because its not a suitable solution... what other method is available?
I have an SWF that communicates with a PHP file and ultimately the DB. The PHP checks whether the User has the appropriate Password etc. and if it is accepted, the actions the person performed on the SWF (game) are used to compete with other Players of the game.
send altered data or actions that are illegal in the game with their submition? To clarify: If a character in the game can only move 1 square at a time, can an evil evil hacker/decompiler (who is a Player in the game) tell the SWF to tell the PHP file that his/her character moves 3 squares at a time?
I'm just want a sense that things will be somewhat secure. There isn't any sensitive information in the SWF besides the location of the PHP file on the net.
We have a swf file that we want to secure and make available only to authorized users.
I embedded the file in an aspx page and that works fine, since ASP.NET handles the aspx page, I can use ASP.NET authorization features and in the web.config restrict the access to roles="AllowedUsers" for example.
However smart users could still get to the file by accessing directly for example www.mysite/flash.swf. We want to make that kind of access secure.
I have a flex application, running with amfphp and connected to wamp, I want to use a secure connection using ssl, but my whole application is running from the same swf file, would using ssl in that case mean that all the data, being sent and received between the server and client ,encrypted? Because this is not what I'm trying to do, I only want to encrypt the sign up and sign in data.
please note that, I have log-in bar which is visible the whole time as long as the user is not signed in.in other words, I only want to secure some of the data being transferred not every thing.
I have a main fla file which loads an external swf into an empty movieclip on the main timeline which works fine but I want a button in the external swf to load another external swf into another empty movie clip on the main timeline.eg. start.swf loads UKEIAMap.swf into (empty movie clip within start.swf) MapLoader_mc then a button havant_b within UKEIAMap.swf needs to load HavantProjectSheet.swf into (empty movie clip within start.swf) ProjectSheetLoader_mc without unloading UKEIAMap.swf
I am loading eight external swfs by way of eight buttons with actionscript to remove the swfs and sound after a new button is clicked. This works fine except that as soon as you get to the frame where the actionscript is all the swfs load at one time on top of each other. I don't want any to load until the button is clicked for the right one. MouseEvent listener works but only after all the swfs have loaded. How do I get the swfs to load only when the buttons are clicked. I can't figure out what I am doing wrong.
I have installed Flash Media Server on our server. When I load up the application home page, I see the demo video of a train.
Then I click on the "Interactive" tab on the right hand side. I was SHOCKED to see that I can create a live stream from my local camera without any credentials at all. Anyone who visits this webpage can publish a live video stream on our Flash Media Server?
I have a SWF hosted on a https enabled domain and amfphp installation on the same domain. Now when i let user embed the swf on his on http page, i intend to send some data to amfphp without user seeing it. However i see that firefox with firebug plugin catches the post data easily. How is this happening ? Adobe documents say that if a swf is hosted in https and destination is also under https, its suppose to be secure?
I have an AIR app in AS3 that connects to an online database, checks the login details for the user account, and logs in if all is good. Once logged in, the user can update database info, plus overwrite files in their user directory. So far it's working fine.
Problem is, I've only got it set up to send the raw login data. Once the php receieves it, it's hashed to check the hashed version in the database, but is there a way to hash and then unhash a password sent from an AIR app? Or a way to use https?
Also, regarding sessions, if you have a seesion in a browser, the session closes automatically when the browser closes, right? So how do you make a session close that you've opened via an Air app? I guess you could trigger a close from certain actions within the app, + when the app closes, but say the app crashes, or the computer crashes - will your session still be floating around out there open?
I'm working on a desktop application that uses API keys for Twitter but AFAIK, AIR applicatioons are easy to decompile. I want the processing of the API requests to be client-side, not server-sided. At most, I want to keep the dependency onto the server to as low as possible.
What I'm thinking is sending the API from the server to the AIR app on the first run. I've already seen Shared secret with API in an Ajax Adobe AIR app but my question is a bit different in that, I want to know how secure ELS is?
How does Adobe work it's way to storing stuff into the ELS? Does it go through multiple encryption sessions before finally getting stored somewhere on the computer?
I have a Flash app that makes periodic calls (using URLRequest and URLLoader) to the same server that hosts it, to check if the current session has expired or not.The problem with this is a man in the middle can spoof a valid response.Is there a generally accepted way to validate a response?Would using 'https' in URLRequest(url) invoke https protocol, would that be sufficient? I'm not a security expert, but would that check if the site is who they say they are, just like the browser?
I was wondering what the best route to take for making a login. The idea is to have the user login with their username and pass on frame 1. If the username and pass exist in the MySQL database then the user will be moved to frame 2. What would be the best way of achieving this? I know AMFPHP is old and I have heard to use ZENDAMF instead, but it seems that any recommendations are 2+ years old when I searched Google.
I have a html pages in which user is logged onin one page he can use swf movies but that movies need to know which user it isso I need to pass vars to swf (username), but that can be problembecause anyone could open swf with submitting username to swfso I need somehow secure user var pass to swf at startif
There's a common strategy for posting to a database where a serverside page is called, passing it querystring data, in order to add entries to a database.
This is not secure though, anyone can decompile the .swf and hack the database by calling the serverside page with their own info. Does anyone know of a secure strategy that does not rely on obfuscation?
I'm building a flash-game-site for a while. The big trouble is Secure Score Submitting System .I search on the net and find some ineffective techniques:
-Secret word method: there is an secret word (crypto pass) on the server and flash gets it from server and uses for crypting score data then sends it to server. But the algoritm that does the crypto job, can be accesible with a swf decompiler. Also getting the secret word from server outside of flash is simple. Not safe!
-HTTP_REFERER method: php (or what else) check HTTP_REFERER data to determine where the post coming from. But with a simply firefox extensions, the referer header can be changed. Not safe!
That is my own idea but can only make cracking harder, not more:
-We can get flash vars with js (:swliveconnect) and send to server. Flash just make a fake submit that makes no effect. Just a trick. But not safe
I'm working on a project (a game) that will run inside a container which is a separate swf. The purpose of this container is to be a sort of landing/end page for future games that's standardized.
For example: container.swf is embedded directly in the HTML page, and is given a flash var with the location of the game (game.swf).
-container.swf loads in game.swf as a child MovieClip
-At the end of gameplay, game.swf dispatched an Event containing the score and other pertinent game information
-container.swf has eventListeners that activate when game.swf dispatches those events, and stores the score given from the game.swf onto separate servers (in a db of some sort)
Now, we have a security option set up to keep the data from being tampered with as it travels from container.swf over to the database (as it is travelling over HTTP, which is easily intercepted, so a hash is included to verify the delivered contents)
My partner also believes that a similar hash-verification systems needs to be in place for the communications between game.swf and container.swf. However, I was under the impression that, since those communications don't travel over HTTP (and rather travel through the Flash player virtual machine type thing),adding such security is unnecessary (and retrofitting container.swf would be a non-trivial task).
So, which of us is correct? Is inter-swf communication (via eventListeners) inherently secure (since that would require lightning fast hacking in order to intercept the data...nanoseconds at best)? Or is adding another layer of security actually useful?
1) I'm trying to create a Flash Login Form but I guess its working with ASP or PHP. Can I make Flash to check usernames from any local mdb? As long as project doesn't require internet connection, excel or sqlite will be enough for me.
2) This question is related to first question. If I cant use a mdb file it seems I'll need to embed all those 5.000 users in flash project, am I correct? Also projects SWF file is 50mb. It will work from CD source, would that cause any problem? I've made it all in one SWF file for security