Embedding Private Keys in SWF files

I've recently came across the new online SWF, Zend, and Java decomplier at showmycode.com that allows you to almost "view the source" of the SWF file online. If you had some important data stored in your SWF (such as API keys or passwords) you may not wish them being exposed.
The easiest (and therefore naïve) way to hide them* would be to store them in external text files and embed in the SWF.

[Embed(source="api_key.txt", mimeType="application/octet-stream")]
private const API_KEY:Class;

// ...

var myAPI_KEY:String = String(new API_KEY());

Then you can create an instance and cast it to String, like shown above.

The asset class extends mx.core.ByteArrayAsset and its byte content is not revealed by most decompilers.

*Of course, this "solution" does not offer any serious protection, you can still decompress the SWF and view the keys in the hex editor. You could scramble/hash them a bit to make the hacker's job harder but it's still possible to extract them.

12:46 PM | | 2 Comments | Tags: , ,


  1. I like that. As you say it's not a true secure solution, but it's an extra layer of inconvenience for the casual hacker to overcome. As an added bonus, it doesn't involve complex code and so doesn't risk introducing bugs into your application.

    David Arno on
  2. Smart move! Thanx.

    webproidea on

Adding comments disabled for now.