One of the most important problem in Application development is the Security of Data Transfer from\to Client to\from Server. The Flash Player environment has a lot of security rules and controls to safeguard data in the Web, but sometimes it's not enough, so we have to integrate them with Encrypting Algorithms develops in our ActionScript Classes. Now we are going to see a little overview that allows us a knowledge of the most simple and useful AS library for encrypting data.
The first library is the as3crypto library. This is available in the Google Code at this address . As you can see on the documentation, the library provides a lot of Hashing Algorithms, like MD5 and SHA-256, Public Key Encryption Algorithms , like RSA, and Secret Key Encryption Algorithms, and introduces a SSL engine. I suggest to see the demo with all the functionalities of the as3crypto library. Another Encrypting Library is as3corelib. Like the as3crypto, the as3corelib is published on Goggle Code at the address, here is the source code of the library and the documentation, but there isn't a demo about it. as3corelib also does not have Encryption Algorithms but only Hashing Algorithms.
Sometimes it is useful to measure the Security of our applications, so we can use these free products to see the data transfer between Client and Server : SWFScan by HP and Charles. SWFScan automatically find security vulnerabilities in applications built on the Flash Platform. It decompiles applications built on the Flash Platform to extract the ActionScript code and statically analyzes it to identify security issues such as information disclosure; identifies and reports insecure programming and deployment practices; and suggests solutions. You can download it from this site.
HP SWFScan offers several other features to help developers, code auditor/reviewers, and pen-testers examine the contents of Flash applications, including:
- Highlighting the line of source code that contains the vulnerability to help better understand the context of the issue.
- Providing summaries, details, and remediation advice for each vulnerability in accordance with Adobe's recommendation for secure Flash development.
- Generating a vulnerability report to share and solve the detected issues.
- Exporting the decompiled source code for use with other external tools.
- Revealing all the URLs and web services the Flash Application contacts.
- Flagging class names, function names, or variable names that may be of interest such as
loadedUserXml or crypt().
Charles is an Http Proxy and an HTTP Monitor, it is enable to see all the data transfer in a browser web or between a client and a server, it is also ables to monitor the AMF protocol traffic. You can have more information here . I think it's a very useful tool for the visualization of Data Trasfer between client and Server and it takes a great support for evidence the bugs in security in our SWF Applications. Next time i will deepen all the functionalities of this Software.
Regards