Developer

Tools to protect your Flash source code

Stealing Flash source code may not be nice, but it's all too easy. Fortunately, protecting your Flash applications is easy thanks to a variety of tools available today.


I have some bad news if you've spent many hours creating some cool or innovative Flash project. Like it or not, all the images, sound, and ActionScript code you created can easily be "ripped" or copied out of your Flash movie. Some of my work has been plagiarized in the past, and the same may have happened to you.

From a development standpoint, this is a nightmare. Others can make money off of your work and pass it off as their own. Your intellectual property could also appear on very questionable Web sites. From a business perspective, this situation makes it nearly impossible to create a commercially viable product using pure Flash. Your business and security logic (embedded in ActionScript) is completely exposed to the public.

At the heart of the problem is the Flash format itself—Macromedia made Flash an open standard to increase overall adoption and the integration of Flash into third party products. There's even a PDF version of the Flash format specification.

Unfortunately this openness means that there are a lot of tools to decompile Flash movies. But there are also some methods and techniques you can use to foil these tools and protect your work.

SWF decompilers
From an ethical standpoint, decompilers have a checkered reputation in the Flash community. Many developers believe that they encourage plagiarism, while others believe that Flash code should be viewed and shared freely, much like HTML source on a Web page. Regardless of where you stand on this issue, there is no denying that much can be learned from studying Flash files, especially the ActionScript code.

These are four of the most popular tools on the market to decompile Flash:
  • Sothink SWF Decompiler MX 2002 Pro
    This powerful decompiler deconstructs most Flash movies and allows you to save all of the graphics, sound, and ActionScript source code. It also allows you to examine a Flash movie frame by frame. This decompiler currently supports Flash 4.0, 5.0, and MX.
  • Action Script Viewer 4.0
    Apart from being able to extract any part of a Flash movie, this product has the amazing feature of allowing you to reconstruct Flash source files (.fla) from Shockwave Flash movies (.swf). This product supports all Flash files formats, from versions 3.0 to Flash MX 2004 Professional.
  • Liatro SWF Decoder
    The Liatro SWF Decoder has similar features as the previously mentioned products. This particular decompiler supports Flash 3 through MX and allows you to view the binary structure of any Flash file.

With powerful tools like these to crack open any Flash file, what recourse does a developer have?

Using Flash Obfuscation
So what exactly does obfuscation mean? To obfuscate is to make something confusing or difficult to understand. Many of the products we will look at use obfuscation to hide your code from decompilers. Here is a rundown of several effective tools to help prevent Flash theft:
  • ActionScript Obfuscator
    This is a tool that scrambles ActionScript. It primarily scrambles variable names and other text references into strings that are difficult to reverse engineer. Rather than provide bulletproof protection again code theft, it discourages the user from figuring the code by scratch.
  • Tevas v.0.9
    Tevas uses two very secure algorithms (the MD5 Message-Digest Algorithm and the TEA encryption algorithm) to encrypt passwords hard-coded in your Flash movie. It can also be used to encrypt Flash text. This product is currently freeware that will eventually be integrated into the ActionScript Obfuscator (see above)
  • Viewer Screwer
    Viewer Screwer is a free online utility written by Marcel Debreuil. The program scrambles ActionScript into machine-readable source code. Specifically, it replaces all variable names and identifiers with a scrambled sequence of letters, which ultimately makes it very difficult to reverse engineer your ActionScript. You can access the application using the following username/password, which has been published in his public forum:
    username: rmb
    password: password
  • FLASM
    FLASM is an open source assembler/disassembler that allows you to decode Flash on a very low level. Your Flash movie normally relies on branched instructions and a consistent flow. If you are comfortable with assembly programming, you can obfuscate your Flash movie by manipulating the sequence and execution of instructions, thus creating irreducible loops. In layman's terms, your Flash movie will resemble byte-code spaghetti, which will confuse most disassemblers.
  • Macromedia Flash MX 2004
    Macromedia has recently implemented measures to protect Flash source code with the release of Flash MX 2004 Professional. This product incorporates support for compiled components and the SWC format. Flash developers can now create compiled code modules with built-in code hiding. With this release, Macromedia has created a new viable market for the sale of stand-alone Flash modules and products.

Keep vital business logic on the server side
There's no denying that Flash is an amazing browser front end that's widely compatible with most browsers and platforms. The main lesson to be learned is not to rely on client-side Flash movies to store important information, such as passwords. By keeping your business logic on the server side and obfuscating your ActionScript, you can develop commercial Flash-driven applications that are relatively well protected and secure. Macromedia has also published an excellent white paper on Flash MX security. Be sure to read it before undertaking any major Flash project.

Good luck and Flash safely!

Editor's Picks