A–C
D–H
I–Z
Developer services
Project centers
Community resources
- Adobe Cookbooks (share code)
- CSS Advisor (browser bug fixes)
- Exchanges (share components)
- Adobe Labs
- Adobe Open Source
- Forums
- RSS feeds
- Bug base
- User groups
- Adobe Community Experts (ACE)
- Developer events
Integration
Product documentation
Downloads
Samples
Training and books
- Online training
- Classroom training
- Certification
- Adobe Developer Library
- Adobe Press
- Safari Books Online
Newsletters
Blogs
Archives
ADC program
Additional resources
Peleus Uhley
Adobe
Table of Contents
- Introduction
- Potential threats to SWF files
- Selecting more secure compiler settings
- Setting security controls
within the HTML code - Managing security boundaries
- Complex cross-domain implementations
- Communicating between SWFs and across domains
- Communicating through a
shared resource - Validating data from remote sources
- Safely displaying content in text fields and drawable regions
- Exception handling
- Encrypting data
- Developer checklists
Creating more secure SWF web applications
Note: This article was originally authored for Adobe Flash Player 9,0,115,0 and has been updated for Flash Player 10. Changes to this article were made to reflect updates to cross-domain HTTP and socket policies, user-initiated action requirements, and other protections added in Flash Player 10. The article was also updated to reflect recent projects, clarifications on Flash Player port usage, and additional best practices.
Adobe frequently updates the Flash Player software security model to improve the security of the Flash Player environment. However, that only addresses half of the overall solution to help securely deploy applications that run in Flash Player. As the web developer, you must also correctly leverage the tools provided by the Adobe ActionScript language and the Flash Player platform to help ensure that your SWF files are more secure. Poor programming conventions can expose SWF files and the sites that host them to web attacks. Adobe provides many resources for developers—such as the Flash Player security section of the Programming ActionScript 3.0 for Flash documentation—to assist with developing more secure code.
This article outlines many of the security considerations associated with common tasks and provides samples of techniques that can be used to help secure code against those threats. Links to the full documentation are provided throughout the article for further reference. These techniques are designed primarily for the Adobe Flash development environment but they can also be applied by Adobe Flex developers.
This highly technical article presumes that you have some knowledge of the ActionScript language and Flash development. Due to its length, the article is broken up into different sections based on what you are trying to accomplish as a developer or administrator:
- If you are an administrator who deploys Flash applications, you will be interested in the sections on HTML controls, domain segmentation, cross-domain policy files, and socket policy files.
- If you are a developer who creates simple, self-contained SWFs such as advertisements, you will most likely be interested in the sections on data validation on URLs, JavaScript communication, and local shared objects.
Most of this article is targeted for those who create complex websites using the Adobe Flash Platform. Throughout the article, there are links to additional resources for greater detail on all the issues discussed.
Requirements
To get the most out of this article you will need to install the following software:
Flash Player 10
Flash CS4 Professional (optional)
Flex Builder 3 (optional)
Prerequisite knowledge
You should have an understanding of ActionScript 2.0, ActionScript 3.0, and Flash Player. Knowledge of Flash CS4 Professional or Flex is encouraged but not required.
About the author
Peleus Uhley is a senior security researcher within the Secure Software Engineering team at Adobe. His primary focus is assisting with Adobe platform technologies, including Flash Player and AIR. Prior to joining Adobe, Peleus started in the security industry as a developer for Anonymizer, Inc., and went on to be a security consultant for companies such as @stake and Symantec.
