actionscript 3 - Any reverse engineers have experience with secureSWF?

Question

I'm writing a flash application and am afraid that it will be decompiled. In order to minimize this chance, I want to obfuscate the file.

I have heard of secureSWF (http://www.kindisoft.com/), and they do list some "user comments". These are however so optimistic that they are hard to trust. There's not a single pessimistic comment (not even about eg. the user interface or support), so something tells me that they might not post them all. From my experience, even the best companies have some kind of critic every now and then.

So, any reverse engineers here, could tell me how experienced you are in the job - and whether you managed to reverse engineer a secureSWF obfuscated file? If so, how long did it take you approximately? Would you recommend this software?

Thanks a lot in advance.

Answer 1

Rule 1:

Anyone with intelligence and determination will always obtain your code/keys/source/files/data
Anything you do simply increases the potential time/effort required to compromise

With or without SecureSWF, will people go to the trouble?

A quick Google suggest that not many attempts have been made to decompile SWF files created with secureSWF ... but they must still meet the specification of compiled bytecode ... so it just amounts to obfuscation. The lack of testing suggests:

1. No one really has independently tested it, and therefore no value in its security can be made
2. People have tested it, it is very effective and people didn't post the results

I think the former is more likely. If you said what the Flash app does, then these points might be more specific.

I would look for sources of data relating to how long after release these things have been reversed rather than the security of the system itself (which is irrelevant).

Also ensure that making your source secure-ish (rather than cooperating with the community) is the best strategy considering that at some point, a determined mind will be able to access your logic.

From a business point of view, your strategic position should not be in keeping your logic scrambled ... as this is futile. You can be as proprietary as you want ... but people will get around it (just ask the games industry). And heavy-handed security causes backlash (see DRM).

If you are convinced your application is so amazing that people will go to the effort of reversing it, look for another value proposition.

Flash is one of those things, like JavaScript, where there is only so much you can do and does it really matter? What good is the apps logic without the other links in the chain?

Anyway, look for the required effort to reverse the encoding rather than the perceived strength of the software's clients.

Anyway, Good Luck!