My search for an ideal intellectual property protection tool that could be used for protecting my Flash projects. After spending months to test out dozens products (and eventually break all of them), I begin to wonder if it's worth developing one from scratch myself.
I normally would advise my clients against implementing any homebrew security schemes, since most of us are not experienced cryptographers and security experts. In addition, there are so many open-source and thoroughly tested security schemes available online, it's just doesn't make a lot of business sense to waste resources on research and development. Unfortunately, securing a Flash application is a bit trickier than securing a password. Since the SWF specification is open to the public, any text, pictures, and logic embedded in an SWF file can be extracted by anyone with a decompiler. Furthermore, developers have essentially no control over the runtime environment (the Flash Player), any custom security scheme must eventually comply with the normal operation of the Flash Player.
I am not even sure if it is possible to implement a secure intellectual property protection scheme in Flash; therefore, I would like to hear any input from the community. For now, I would try to formalize the requirement for such intellectual property protection scheme here.
1) The scheme must be implemented entirely in Actionscript 3 and be deployed on Flash Player 10.1 over above.
2) The scheme must protect against all commercially available decompiler.
3) The scheme must be built on a cryptographically-secure foundation.
4) The scheme must withstand white-box-testing.
5) The scheme should be open-source.
6) The scheme may work on mobile devices.
Please feel free to comment and add your ideas to the list.
I've revisited this issue over the years and have never come across anything that seems worthwhile implementing. I've too always said to clients that there's nothing out there that would be worthwhile.
ReplyDeleteOut of all the tools you've reviewed though, which tool does the best job, or is it completely pointless? I don't have a cryptography background so my assessment of tools is limited to just trying to decompile using existing software.