Re: Flash Obfuscation

[0x4150 <0x4150 () gmail com>]

My company had a pen test of the application and the tester reported
that we should obfuscate the flash content. I would like to make it as
difficult as possible for an attacker to reverse and understand the
application logic. The application deals with sensitive data so I want
to protect it (as much as possible). I was told there were ~3 products
on the market which can obfuscate flash, but none seemed reputable.

On Fri, Apr 30, 2010 at 6:58 AM, Brad Causey <bradcausey () owasp org> wrote:
> What's your goal? Maybe thatll help us help you.
>
> On 4/30/10, Paul Melson <pmelson () gmail com> wrote:
> > On Thu, Apr 29, 2010 at 2:05 AM, 0x4150 <0x4150 () gmail com> wrote:
> > > Has anyone done obfuscation of a flash application? If so, what
> > > tool(s) would you recommend?
> >
> > I wouldn't recommend any of them as a way to actually secure anything
> > as the end result must still be a SWF file that Flash Player can parse
> > correctly, and therefore they can be decompiled or debugged in order
> > to reverse the code.
> >
> > The only example of obfuscated ActionScript that I've seen to date has
> > been a malware dropper. In that case it was about 20 minutes by hand
> > to reverse. About 1 minute for Wepawet to do the same.
> >
> > PaulM
> >
> >
> >
> > This list is sponsored by Cenzic
> > --------------------------------------
> > Let Us Hack You. Before Hackers Do!
> > It's Finally Here - The Cenzic Website HealthCheck. FREE.
> > Request Yours Now!
> > http://www.cenzic.com/2009HClaunch_Securityfocus
> > --------------------------------------
>
> --
> Sent from my mobile device
>
> -Brad Causey
> CISSP, MCSE, C|EH, CIFI, CGSP
>
> http://www.owasp.org
> --
> "Si vis pacem, para bellum"
> --



This list is sponsored by Cenzic
--------------------------------------
Let Us Hack You. Before Hackers Do!
It's Finally Here - The Cenzic Website HealthCheck. FREE.
Request Yours Now! 
http://www.cenzic.com/2009HClaunch_Securityfocus
--------------------------------------