Securing your flash application
3/16/2010 11:22:42 AM
Security in flash applications: The most important aspect ignored by developers while developing flash or flex applications is its security. Flash is as open as html, the only difference is that a normal user cannot view the source of the swf file unless allowed. But does that make it secure? The answer is a big NO. There are many flash decompilers available that not only show you the code but can also modify and recompile the swf files.The fact is known to many computer users. Security threats to your flash applications can be minimized by following a few best practices. Following are the steps that can be helpful in securing your flex/flash application, and will also make you aware of the security threats that can be handled through flash.
Checklist, how to secure your flash application:
- Remove Sensitive Information: Make sure you do not include any sensitive information like User Name, Passwords, SQL Query's or other authentication information inside SWF file. SWF file can be easily decompiled using many software's and such information can be compromised.
- Client validations: Client validations can be removed using decompilers and then the flash file can be recompiled posing a big threat to your system. Its always better to use validation on both sides client as well as server side. Client side validation saves user time and makes application responsive; and server side makes application secure and ensures data to be valid.
- Remove debug information: Debugging information like "trace" comments and other information that can expose code functionality of application. Remember, anyone can decompile and read the comments and traces to understand the workflow of your flash application.
- External data: When sensitive external data is required to be loaded in flash, do not use "params" tag in html or querystring values to inject variables inside swf file. You can load data from server making a http call. This will ensure the data is not embedded in swf and is not accessible using decompilers. Use SSL for better security.
- Algorithms: If you are using an algorithm to achieve some functionality like encrypting the data, beware your algorithm can be analyzed by any user, all they need is a decompiler to see your algorithm. So better keep it on the server side.
- Remove Cross-domain Wildcards: If your swf file is loading data or objects from some other domain, then your other domain must be using crossdomain.xml file to allow your domain to load stuff. Common mistake that many developers do is they put wildcards to allow all domains while development which simply allow any website to access your data from there swf files. You must restrict it to your domain only by specifying your domain in the policy file. This is the proper way to specify your particular domain and ports in cross domain policy file:- <cross-domain-policy> <allow-access-from domain="*.yoursite.com" to-ports="80,8080,8100,443" /> </cross-domain-policy> .
- Allow domain wildcards: Check the actionscript code of your swf file for any allowDomain() and allowInsecureDomain() calls and replace the wildcards with proper domain name that you want to allow. Otherwise your swf file will be accessible to all the domains posing security threat.
- Authentication based HTTP or Webservice: If you are using HTTP service or Webservice to load data into swf. Make sure that you have implemented some authentication system for private data. For e.g. a Webservice request to update user profile can be done be a validated user only. Since the request is hidden inside the swf file, the user can always decompile and see to which page the request is being made and what parameters needs to be sent, without authentication it can be exploited by anybody. Applying secure authentication using SSL while accessing http or webservices is always recommended.
- View Source: Remove the viewSourceURL property unless its required. Do not enable the view source property of your flex application by setting the viewSourceURL property in application tag of your application unless it has some specific need. This property has got a very good application and that is when you want to show working samples of code otherwise remember to remove it before uploading your swf file to production server.
- Use HP SWFScan: You can use HP SWFScan a free tool to decompile your swf files with ActionScript 2 and ActionScript 3 to analyze them for security vulnerabilities. This is a very good tool that is helpful to testers and developers both.You can download this tool from Hp.com from http://www.hp.com/go/swfscan