Writing secure Flex applications

1. Writing secure Flex applications • MXML tags with security restrictions • Disabling viewSourceURL • Remove sensitive information from SWF files • Input validation • ActionScript • Using passwords.

2. Writing secure Flex applications MXML tags with security restrictions: Some MXML tags trigger operations that require security settings. In these cases, access rights must be granted through one of the permission-granting mechanisms such as the allowDomain() method or a crossdomain.xml file. Example: Referencing a URL that is outside the exact domain of the application that makes a request. Referencing a resource that is in a different sandbox.

3. Writing secure Flex applications Disabling viewSourceURL: If you enabled the view source feature by setting the value of the viewSourceURL property on the <mx:Application> tag, you must be sure to remove it before you put your application into production.

4. Writing secure Flex applications Remove sensitive information from SWF files: The SWF file format is an open format, you can extract data and algorithms contained within a SWF file. This is similar to how HTML and JavaScript code can be easily viewed by users. However, SWF files make viewing the code more difficult. A SWF file is compiled and is not human-readable like HTML or JavaScript.

5. Writing secure Flex applications Remove sensitive information from SWF files: • Do not include sensitive information, such as user names, passwords, or SQL statements in SWF files. • Remove debug code, unused code, and comments from code before compiling to minimize the amount of information about your application that is available to someone with a decompiler or a debugger version of Flash Player.

6. Writing secure Flex applications Remove sensitive information from SWF files: • Do not use client-side username and password checks for authentication. • If your SWF file needs access to sensitive information, load the information into the SWF file from the server at run time. The data will not be part of the compiled SWF file and thus cannot be extracted by decompiling the SWF file. Use a secure transfer mechanism, such as SSL, when you load the data.

7. Writing secure Flex applications Input validation: • To keep the inputs free of malicious characters or code by enforcing input validation by using appropriate tags.(<mx:Validator> tag ) • One advantage of using Flex validators is that they execute on the client, which lets you validate input data before transmitting it to the server. • Another approach to enforce input validation is to use strongly-typed, parameterized queries in your SQL code,therefore SQL server will reject the query if someone tries to inject malicious code.

8. Writing secure Flex applications Action Script: • Handling errors • Suppressing debug output • Using host-based authentication Some ways to try to make your use of Action Script more secure.

9. Writing secure Flex applications Using passwords: • Using passwords in your Flex application is a common way to protect resources from unauthorized access. Test the validity of the password on the server rather than the client, because the client has access to all the logic in the local SWF file. • To ensure that passwords are transmitted from the client to the server safely, enforce the use of SSL or some other secure transport-level protocol.

10. Reference • http://livedocs.adobe.com/flex • http://www.swfprotect.net

11. Thank You!