Home

Review: Kindisoft SecureSWF

If our recent review of Flash decompilers has left you feeling a little uneasy about the vulnerability of your code, then Kindisoft might have just the thing for you. SecureSWF is an Actionscript obfuscator that aims to protect your files from scrutiny. So how does it work? FlashMagazine decided to put it to the test.

What is it? SWF Encryption utility
Platforms: Windows (requires .NET v1.1+.)
Manufacturer: Kindisoft LLC
Website: http://www.kindisoft.com
Cost: Perpetual license: Personal $99, Professional $400

If you've ever worked with the Flash video encoder the you'll find the SecureSWF workflow pretty familiar. SWF files are batch processed and you begin by using the 'Add' dialogue box or simply dragging files onto the app. A statistics box in the bottom right hand corner of the screen gives you some useful metrics on your project including the total number of: SWF files, MovieClips, Local identifiers, Symbol instance names, Frame labels, Classes and Class members.

If you are happy with the default settings you can start the obfuscation process straight way. For a bit more control you can tweak a myriad of options for each of the following techniques:
- Code transformation
- Optimization
- Literal Strings Encryption
- Encrypted Domain Locking
- Identifiers renaming
When you are done, all of your settings can be saved in a project file.

AS3 isn't currently supported (although I'm told it's in the works) so I tried out an AS2+Flash 8 file to see how SecureSWF got on. On the first pass I left the Protection options on the defaults. The build time was very quick but was accompanied by a warning box: "The following identifiers' names reappeared in the SWF file. If the output SWF file didn't function properly, consider deselecting them:". Around 30 items were listed. Sure enough the SWF didn't work as it should: Buttons ignored mouse clicks and the dynamic XML didn't load.

Taking the advice of the warning box I deselected all the identifiers in the list and had another go. This version worked much better, but not perfectly. Certain functions that relied on ids still failed. There was nothing else for it; I was going to have to read the manual!

Digging into the Protection Options section is a real eye-opener. There is a lot to get your head around in there. SecureSWF uses a variety of inventive techniques to obfuscate your files but you have to understand what it's doing. Going with the defaults and keeping your fingers crossed is only going to get you into trouble. Switching off 'Identifier renaming' did the trick for me and the file then worked as expected.

Now for the big test. Can I decompile it? Well yes and no. The Trillix Decompiler did pull in the file but the code was completely meaningless. All the assets were exposed and available so it's worth baring in mind that code obfuscation won't protect them. Just for kicks I tried exporting an FLA from Trillix then recompiling it, but it didn't produce anything useful.

Verdict: SecureSWF definitely works but you need to configure with care.
visit Kindisoft