-->

25.02.11

Categories: Flash

Encrypting XML in Flash

While it’s always been possible (using Safari’s activity view for example) to see what external assets are being accessed by a Flash movie, browser plug-ins such as Firebug, LiveHttpheaders, and Tamper Data also make it possible to easily see all the requests that are being passed back and forth between a client and server, including calls from a Flash movie to the server, and modify them.

Loading XML has long been established a way for Flash to load external data, but if you do not want people to be able to view that data externally some kind of encryption is required. We recently had this requirement when building a quiz game for a client. We wanted the questions to be an external file so that they could be edited and added to without requiring changes to the Flash SWF. However, as a raw external XML file it would allow users to download this file and look up all the correct answers.

Building on work of the extensive AS3 Crypto class, the simple Blowfish Encryption class from Lassie games, and also the Binary XML class from Ghostwire, we’ve created a tool which allows you to load a file, encrypt it with a key of your choosing, and save it out.

Click to view in a new window
Here’s how to use it:

  1. Firstly, type some text, or use the Load button to open an external text file.
  2. Enter some text, which may be a memorable word, in the Key field, or click the Generate button to create a random 128-bit key.
  3. Click the Encrypt button to encrypt the Input text with the Key field, using the Blowfish algorithm. This is displayed in the Output text area
  4. Click the Save button to export the encrypted file. If you have generated a random key, remember to also copy and paste it into a text editor to save it
  5. You can check it is working by either pasting the encrypted text back into the Input text area and clicking decrypt, or by loading in an encrypted file.

Practical applications

The load and decrypt functions can then also be used inside your Flash game or quiz or whatever, to load in the encrypted XML file, decrypt it and then parse the resultant XML.

Download the source here.

You can view a sample quiz game here.

Download the source of the quiz.

Next steps

If you have a game that needs to write the score to a server in order to update a high-score table, playcount, etc, then you can use the same principle to encrypt the output, which is then decrypted on the server. This provides a basic level of security better than simply transmitting the score etc in cleartext. For a more thorough discussion on this, see here.

Because the secret key is a string variable stored inside the Flash movie, it is vulnerable to being exposed by SWF decompilers such as Sothink SWF Decompiler. So for full protection you would also need to encrypt the SWF movie, such as SWF Encrypt from Amayeta or secureSWF.

Remember that when you deploy the files to the live server to only upload the encrypted versions!

Share your love for this story

  • Print this article!
  • Digg
  • Sphinn
  • del.icio.us
  • Facebook
  • Mixx
  • Google Bookmarks

Jump to comment form

comments rss [?]

trackback uri [?]

No comments

Have your say

XHTML: You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>




Preview your comment