A–C
D–H
I–Z
Project centers
Community resources
- Flex cookbook (share code)
- CSS Advisor (browser bug fixes)
- Exchanges (share components)
- Adobe Labs
- Adobe Open Source
- Forums
- RSS feeds
- Bug base
- User group search
- About user groups
- Adobe Community Experts (ACE)
- Developer events
Product documentation
Downloads
Samples
Training and books
- Online training
- Classroom training
- Certification
- Adobe Developer Library
- Adobe Press
- Safari Books Online
Newsletters
Blogs
- MXNA (blog aggregator)
- Adobe blogs
Archives
ADC program
Additional resources
Flash Player Article
Creating more secure SWF web applications
Peleus Uhley
Adobe
Table of Contents
- Introduction
- Potential threats to SWF files
- Selecting more secure compiler settings
- Setting security controls within the HTML code
- Loading remote content
- Complex cross-domain implementations
- Communicating between SWFs and across domains
- Communicating through a shared resource
- Validating data from remote sources
- Safely displaying content in text fields and drawable regions
- Exception handling
- Encrypting data
- Developer checklists
Adobe frequently updates the Flash Player software security model to improve the security of the Flash Player environment. However, that only addresses half of the overall solution to help securely deploy applications that run in Flash Player. As the web developer, you must also correctly leverage the tools provided by the ActionScript language and the Flash Player platform to help ensure that your SWF files are more secure. Poor programming conventions can expose SWF files and the sites that host them to web attacks. Adobe provides many resources to developers such as their Secure Programming Guide to assist with developing more secure code.
This article outlines many of the security considerations associated with common tasks and provides samples of techniques that can be used to help secure code against those threats. Links to the full documentation are provided throughout the article for further reference. These techniques are designed primarily for the Flash Professional development environment but they can also be applied by Flex developers.
Requirements
To get the most out of this article you will need to install the following software:
Flash CS3 Professional (optional)
Flex Builder 3 beta (optional)
Flash Player 9 Update 3 (9,0,115,0) or later
Prerequisite knowledge
You should have an understanding of ActionScript 2.0, ActionScript 3.0, and Flash Player. Knowledge of Flash Professional or Flex is encouraged but not required.
About the author
Peleus Uhley is a senior security researcher within the Secure Software Engineering team at Adobe. His primary focus is assisting with Adobe platform technologies, including Flash Player and Adobe AIR. Prior to joining Adobe, Peleus started in the security industry as a developer for Anonymizer, Inc., and went on to be a security consultant for companies such as @stake and Symantec.
