Flex Security

Flex Security - Transcript

Writing secure Flex applications
MXML tags with security restrictions Disabling viewSourceURL Remove sensitive information from SWF

files Input validation ActionScript Using passwords

Writing secure Flex applications
MXML tags with security restrictions Some MXML tags trigger operations that require security settings In these cases access rights must be granted through one of the permissiongranting mechanisms such as the allowDomain method or a crossdomain xml file Example Referencing a URL that is outside the exact domain of the application that makes a request Referencing a resource that is in a different sandbox

Writing secure Flex applications

Disabling viewSourceURL If you enabled the view source feature by setting the value of the viewSourceURL property on the mx Application tag you must be sure to remove it before you put your application into production

Writing secure Flex applications

Remove sensitive information from SWF files The SWF file format is an open format you can extract data and algorithms contained within a SWF file This is similar to how HTML and JavaScript code can be easily viewed by users However SWF files make viewing the code more difficult A SWF file is compiled and is not human readable like HTML or JavaScript

Writing secure Flex applications

Remove sensitive information from SWF files Do not include sensitive information such as user names passwords or SQL statements in SWF files Remove debug code unused code and comments from code before compiling to minimize the amount of information about your application that is available to someone with a decompiler or a debugger version of Flash Player

Writing secure Flex applications
Remove sensitive information from SWF files Do not use client side username and password checks for authentication If your SWF file needs access to sensitive information load the information into the SWF file from the server at run time The data will not be part of the compiled SWF file and thus cannot be extracted by decompiling the SWF file Use a secure transfer mechanism such as SSL when you load the data

Writing secure Flex applications
Input validation To keep the inputs free of malicious characters or code by enforcing input validation by using appropriate tags mx Validator tag One advantage of using Flex validators is that they execute on the client which lets you validate input data before transmitting it to the server Another approach to enforce input validation is to use strongly typed parameterized queries in your SQL code therefore SQL server will reject the query if someone tries to inject malicious code

Writing secure Flex applications

Action Script Handling errors Suppressing debug output Using host based authentication Some ways to try to make your use of Action Script more secure

Writing secure Flex applications
Using passwords

Using passwords in your Flex application is a

common way to protect resources from unauthorized access Test the validity of the password on the server rather than the client because the client has access to all the logic in the local SWF file To ensure that passwords are transmitted from the client to the server safely enforce the use of SSL or some other secure transport level protocol

Reference
http livedocs adobe com flex http www swfprotect net

Thank You