Writing secure Flex applications

1
Writing secure Flex applications

• MXML tags with security restrictions
• Disabling viewSourceURL
• Remove sensitive information from SWF files
• Input validation
• ActionScript
• Using passwords.

2
Writing secure Flex applications

• MXML tags with security restrictions
• Some MXML tags trigger operations that require
  security settings. In these cases, access rights
  must be granted through one of the
  permission-granting mechanisms such as the
  allowDomain() method or a crossdomain.xml file.
• Example
• Referencing a URL that is outside the exact
  domain of the application that makes a request.
• Referencing a resource that is in a different
  sandbox.

3
Writing secure Flex applications

• Disabling viewSourceURL
• If you enabled the view source feature by
  setting the value of the viewSourceURL property
  on the ltmxApplicationgt tag, you must be sure to
  remove it before you put your application into
  production.

4
Writing secure Flex applications

• Remove sensitive information from SWF files
• The SWF file format is an open format, you can
  extract data and algorithms contained within a
  SWF file. This is similar to how HTML and
  JavaScript code can be easily viewed by users.
  However, SWF files make viewing the code more
  difficult. A SWF file is compiled and is not
  human-readable like HTML or JavaScript.

5
Writing secure Flex applications

• Remove sensitive information from SWF files
• Do not include sensitive information, such as
  user names, passwords, or SQL statements in SWF
  files.
• Remove debug code, unused code, and comments from
  code before compiling to minimize the amount of
  information about your application that is
  available to someone with a decompiler or a
  debugger version of Flash Player.

6
Writing secure Flex applications

• Remove sensitive information from SWF files
• Do not use client-side username and password
  checks for authentication.
• If your SWF file needs access to sensitive
  information, load the information into the SWF
  file from the server at run time. The data will
  not be part of the compiled SWF file and thus
  cannot be extracted by decompiling the SWF file.
  Use a secure transfer mechanism, such as SSL,
  when you load the data.

7
Writing secure Flex applications

• Input validation
• To keep the inputs free of malicious characters
  or code by enforcing input validation by using
  appropriate tags.(ltmxValidatorgt tag )
• One advantage of using Flex validators is that
  they execute on the client, which lets you
  validate input data before transmitting it to the
  server.
• Another approach to enforce input validation is
  to use strongly-typed, parameterized queries in
  your SQL code,therefore SQL server will reject
  the query if someone tries to inject malicious
  code.

8
Writing secure Flex applications

• Action Script
• Handling errors
• Suppressing debug output
• Using host-based authentication
• Some ways to try to make your use of Action
  Script more secure.

9
Writing secure Flex applications

• Using passwords
• Using passwords in your Flex application is a
  common way to protect resources from unauthorized
  access. Test the validity of the password on the
  server rather than the client, because the client
  has access to all the logic in the local SWF
  file.
• To ensure that passwords are transmitted from the
  client to the server safely, enforce the use of
  SSL or some other secure transport-level
  protocol.

10
Reference

• http//livedocs.adobe.com/flex
• http//www.swfprotect.net

11
Thank You!