How to protect swf?

[hadisn]

Hi all. I am really busy these days and in all this i noticed that some Indian m...r f...r use my swf in his own app and that app is live on Google Play.

I encrypted swf so I don't think he can decompile it but somehow I got few ad requests in my admob account, I blocked that app, and found my swf inside it. I don't know what this mean to this guy and really don't understand why someone do this.

I am wondering if someone here have solution for this. Is there way to check if app is launched from specific android package or something, just direct me in right direction I hope I will figure how achieve that.

Any advice is welcome.

Thank you in advance.

[manishpatel0404]

Whoa! Control your racist emotions, my friend. Crooks don't have a nation. Every nation has crooks, including yours. :-)

As to how this could have happened, and what (if anything at all) you can do about it, please refer @ajwfrost comment in post #2104

[ajwfrost]

I guess even if you'd encrypted the SWF, it can still be loaded by AIR so re-use of the SWF is always possible. Presumably if they're then not able to actually change the SWF, then it could have some code in it to check what package it's running in and confirm the app ID? Or would they have reused this too...? https://help.adobe.com/en_US/FlashPlatform/reference/actionscript/3/flash/desktop/NativeApplication.html#applicationID

I'm not sure whether we would have a way to link a SWF to a signing certificate, that would seem to be the best option particularly for platforms that will always require some kind of signature to be attached (including Android, iOS, macOS etc). Let me check with Adobe as I think there was already some capability built into the runtime for this for the validation of Flex RSLs...

[hadisn]

@ajwfrost thank you for answer. I think that some code to check app id would help for now, I tried this before but couldn't find right solution and gave up. If you have something please share, and when available this option with Adobe I will add it too...

[MalacTheLittle]

You can scramble swf's bytearray with some algorithm and unscramble it back with the main app.

[raresn]

@MalacTheLittle can you go a bit more in depth on how to do that?

[MalacTheLittle]

You need to load swf's bytearray with FileStream.readBytes and change some bytes values in it. Since each byte is integer in range from 0 to 255 you can change it's value. You don't need to change each bytes value since only few is needed to make it impossible to load with Loader. Changing each bytes value would also be an app performance overkill.

Here's an example of a simple algorithm:

var bytes:ByteArray = new ByteArray();
//load swf's bytearray to bytes variable

var step:uint = Math.ceil(swfFile.size*0.3);
for(var i:uint = 0, l:uint = swfFile.size; i<l; i += step){
    var byteInt = bytes[i];
    byteInt += 25;
    byteInt = byteInt%256;
    bytes[i] = byteInt;
}

//save scrambled bytearray to some file

In the main app you need to return each changed byte value to original one and at the end load it with Loader.loadBytes:

var bytes:ByteArray = new ByteArray();
//load scrambled file bytearray to bytes variable

var step:uint = Math.ceil(swfFile.size*0.3);
for(var i:uint = 0, l:uint = swfFile.size; i<l; i += step){
    var byteInt = bytes[i];
    byteInt -= 25;
    if(byteInt < 0){byteInt = (byteInt%256+256)%256;}
    bytes[i] = byteInt;
}

You can also apply this protection to any type of file, not only swf. I'm usually protecting assets files with it. If you want to protect text files like xml or json you need to compress it (ByteArray.compress()) before you apply algorithm since only few shifted bytes won't make it unreadable, like in eg:

input > This is some test text loaded from a text file.
output > mhis is some teŒt text loaded rom a text fil~.

Similar problem goes with .jpg files if someone would reconstruct header bytes, so it's good to compress it first: input >

output >

For audio files like mp3 I found that some apps like WinAmp can reproduce it, only on scrambled parts sound blows/peeks/noises up (so, scramble effect is similar to scrambled jpg example).

Now you need to build some stronger algorithm with some key's applied that are hidden either on server or somehow protected in the main app with some obfuscation (eg. secureSWF).

All you need to do is to play with the idea a bit :)

[hadisn]

These guys are tireless

[ajwfrost]

Hi @hadisn .. just looking at this, I've pulled down the APK for that the top one. Their Android application ID is game.pioa.c193 but they have not modified the AIR application descriptor file, so my earlier thought (of being able to check that your app ID is what's expected) wouldn't work..

But equally .. the AIR runtime should only be distributed with an app when that app has been created using the AIR SDK (according to the license agreement we got from Adobe) and they are definitely doing some kind of repackaging. Within ADT, we generate an application identifier using the app descriptor ID (often adding "air." onto it) -> so I could just find your app on the play store by checking their APK file, getting the app descriptor and ID, then using that on the online version of the play store ..

It would seem sensible then for us to only allow an application to run if the Android application ID matched the application descriptor file. Although it would probably be fairly quick for people to work that out -> so we could add an extra security feature into the runtime here perhaps...?

So e.g. if you have a SWF that you want to only run within a particular application, we can inject something into the SWF so that it's then only accessible from an application with that ID...? Will have to think how we can do this in a reasonable secure way, but that would I hope prevent this kind of thing!

thanks

[hadisn]

@ajwfrost they didn't bother at all to change anything, just put complete game inside their app. I wondering how google accepted such apps, my logo appears when app is launched. I am doing my best to be in compliance, with Google Play, Admob etc... and someone come and take it. Now I am trying to remove old ad ids and update apps as soon as possible to stop receiving ad requests to AdMob. I really don't understand this guys, they have nothing from this, looks like they only want to harm me.

I tried to contact them and nicely ask to remove my swf but it doesn't work. Now even if we find solution for this it will be hard to remove all previous versions of apps from internet.

[jigtrap]

Hi Hadisn, I hope you are ok, since we both use the same development platforms (Animate, Adobe AIR, Distriqt Antes) and thus, face the same technical challenges along the time, would it be possible to contact you?, I think we can help each other and maybe share experiences, If possible, I leave here my email : jigtrap[AT]outlook[DOT]es

Thanks in advance, Aldo