author: Krasimir Tsonev

Hi there, I'm . Senior front-end engineer with over 13 years of experience. I write, speak and occasionally code stuff.

How to protect your SWF file

Is there any way to protect your flash work? To be honest the answer is NO. As you probably know everything that is uploaded on a web server and is accessible from a web browser is downloaded to the users' computers and could be found in the temporary directories. Once someone gets your swf file he could use one of the dozen decompilers to reproduce the .fla and .as files. Anyway, there are still some ways to make stealing difficult.
First of all use FLEX SDK to produce your swf files. You can still use Flash for your assets, but it's good to compile the final swf using the SDK. It's because some of the decompilers can't roll back Flex applications. Check this article to find out how to create an application with Flex SDK.So, we know that everyone can download your swf and with good tool they could restore the .as files. If you try a decompilation you will see that in some cases the code is not 100% identical. The names of the variables are replaced. For example a function "loadXMLData" is transformed to "_func23". It's a little bit difficult to work with such kind of code, but the application is still compilable. What I'm using to protect my swf is to ping a php file that is stored on my own server. The string that is returned by the file is controlled by me and can not be changed by anyone else. I'm adding a little additional code that checks the returned value. Here is an example:
package {
    import flash.display.MovieClip;
    import flash.text.TextField;
    public class App extends MovieClip {
      public
      var field: TextField;
      public
      function App(): void {
        debug("App constructor");
        Protect.check("http://krasimirtsonev.com/files/protectyourswf/check.php", "krasimirtsonev", onSuccess, onFailed);
      }
      private
      function onSuccess(): void {
        debug("onSuccess");
      }
      private
      function onFailed(): void {
        debug("onFailed");
        visible = false;
      }
      public
      function debug(str: * ): void {
        field.htmlText += String(str) + "";
      }
    }
  }
In other words: I check "http://krasimirtsonev.com/files/protectyourswf/check.php" and if it returns "krasimirtsonev" I'm calling "onSuccess", if not I'm calling "onFailed". As you can see in onFailed function I hid the main MovieClip. Of course you can call Protect.check method deeply somewhere else in your application. Here is the code of the Protect class:
package {
    import flash.net.URLLoader;
    import flash.events.Event;
    import flash.events.IOErrorEvent;
    import flash.net.URLRequest;
    public class Protect {
      private static
      var _callbackOnSuccess: Function;
      private static
      var _callbackOnFailed: Function;
      private static
      var _loader: URLLoader;
      private static
      var _value: String;
      public static
      function check(url: String, value: String, callbackOnSuccess: Function, callbackOnFailed: Function = null): void {
        _value = value;
        _callbackOnSuccess = callbackOnSuccess;
        _callbackOnFailed = callbackOnFailed;
        _loader = new URLLoader();
        _loader.addEventListener(Event.COMPLETE, onDataLoad);
        _loader.addEventListener(IOErrorEvent.IO_ERROR, onDataFiledToLoad);
        _loader.addEventListener(IOErrorEvent.NETWORK_ERROR, onDataFiledToLoad);
        _loader.addEventListener(IOErrorEvent.VERIFY_ERROR, onDataFiledToLoad);
        _loader.addEventListener(IOErrorEvent.DISK_ERROR, onDataFiledToLoad);
        _loader.load(new URLRequest(url));
      }
      private static
      function onDataLoad(e: Event): void {
        if (e.target.data.toString() == _value) {
          if (_callbackOnSuccess != null) {
            _callbackOnSuccess();
          }
        } else {
          if (_callbackOnFailed != null) {
            _callbackOnFailed();
          }
        }
      }
      private static
      function onDataFiledToLoad(e: Event): void {
        if (_callbackOnFailed != null) {
          _callbackOnFailed();
        }
      }
    }
  }
By using this technique you are protecting your swf no matter where it is uploaded. On yours or on some other server. Of course, for an advanced developer it will not be so difficult to find out why the main MovieClip disappears, but it's still something that he has to handle with. I also recommend using tools like secureSWF or swfEncrypt. They will definitely keep your swf from stealing. Note:Don't forget to upload a crossdomain.xml file in your main directory. Without this file your Protect class will not be able to ping the php file.
If you enjoy this post, share it on Twitter, Facebook or LinkedIn. Or maybe comment below: