Nerdbucket Blog!
Leave Comments
Contact Me
Nerdy Links
Privacy Policy

Member Area:
Member FAQ
Log In

Jump To Section:
The Target
Shallow Theft
Is It Fixable?
Geeky Details

Part V: What can be done to fix it?

More bad news here. A very clever programmer can make it harder to steal, and significantly harder to use your app against you. But it cannot be made impossible. If I'm willing to invest the time, I can eventually figure out what makes any flash code tick. Worse yet, it's in the programmer's best interests to make the app and accompanying data/scripts easy to abuse.

Why is that? It's the nature of templates again. To sell a template to many people, you want it to be generic. The more generic, the easier it is to allow totally different people to use the template. Generic systems are also going to be the easiest to abuse. Information gathering is easier because the system is designed to be simple and configurable. The app itself, then, will be pretty basic and all its customizations will likely be in a configuration file. This file will tell me a whole lot about the website I'm trying to attack. The flash file will be a whole lot simpler than a custom-written one. If I disassemble the flash actionscript (see Geeky Details for more information about this), I know to look for configuration being read, making it easier to see what's going on in the app. The more I know, the more chance I have of finding a way to use the information against you.

Additionally, stopping even a single problem, such as spamming, is very difficult. Some people might think the email scripts should just check the referer, to be sure that the email request was legitimately from the flash app. Unfortunately, that information is so easy to spoof that it only stops the weakest attackers. Or an even better idea: disallow a specified recipient, so the email is always sent to the website owner. Very good fix, but that means the template is now a custom program, adding a bit of work for the flash designer. Every time a fix is identified that requires custom work, the cost of developing a mass-market product goes up.

Moving scripts to "unknown" locations is no good either. The belief that minor, seemingly-random customization tweaks causes confusion or difficulty to an attacker is absurd. Winklet's demo apps actually grab their configuration from a different place than their real app or trial. They probably thought they were being clever doing that, but by reading the flash code I can see exactly where they're hiding their information, and make use of it just as easily as anybody else's.

The only real solution to save their product from theft is custom designing each app for the site that wants it. This of course defeats the purpose of selling cheap, generic templates, as it increases time to develop, thereby costing the consumer more money, and making it less easy to sell in bulk. And heck, this isn't even a guaranteed fix. If somebody comes up with a way to rip graphics and sound out of flash (maybe they already have, but I haven't looked), even a custom app won't stop theft.

The only real solution to things like the email exploit is to remove the ability to do anything advanced. Only allow the flash app to show presentation, never doing anything more complex. This of course devalues many of the more useful apps for sale out there. 100 Hot DVDs