Embedding Private Keys in SWF files
I've recently came across the new [online SWF, Zend, and Java decomplier at showmycode.com](http://showmycode.com/) that allows you to almost "view the source" of the SWF file online. If you had some important data stored in your SWF (such as API keys or passwords) you may not wish them being exposed. The easiest (and therefore naïve) way to hide them* would be to store them in external text files and embed in the SWF. [Embed(source="api_key.txt", mimeType="application/octet-stream")] private const API_KEY:Class; // ... var myAPI_KEY:String = String(new API_KEY()); Then you can create an instance and cast it toString
, like shown above.
The asset class extends mx.core.ByteArrayAsset
and its byte content is not revealed by most decompilers.
***Of course, this "solution" does not offer any serious protection, you can still decompress the SWF and view the keys in the hex editor. You could scramble/hash them a bit to make the hacker's job harder but it's still possible to extract them.**
12:46 PM
|
posts
|
2
Comments
|
Tags: as3, tips, debugging
Comments
- David Arno on August 20, 2010, at 07:56 PM
- webproidea on June 16, 2010, at 04:13 PM
Adding comments disabled for now.