Encryption vs. Obfuscation

Summary

There are two common approaches to protecting source code that is released on Virtual Machine or Runtime platforms. This chapter will compare the two approaches, their advantages and disadvantages, and also why Nitro-LM ultimately uses encryption to protect Flex and AIR applications.

Obfuscation

Obfuscation is the process of scrambling or otherwise hiding the intent of ByteCode so that when it is decompiled it is more difficult to understand. Obfuscation won't protect all of the assets inside a SWF file and will often leave constants such as URLs and other sensitive information in the clear.

Obfuscators also suffer in that the code you run isn't the same as the code you initially developed. All of your code needs to be tested twice to ensure that the obfuscator didn't introduce bugs into the final operation of your application.

The final area of difficulty when dealing with obfuscators is runtime debugging. If you've released an obfuscated version of your application, any error messages or stack traces reported by your customers will be confusing and difficult to track down. Obfuscators often rename function calls so this can become fairly difficult to trace where the errors actually occurred.

Some Obfuscators use what's called "Encrypted" obfuscation. This should not be confused with true encryption. They're simply using an encryption algorithm as the mechanism to scramble the code.

Encryption

Encryption is an algorithm that protects information by using an encryption key. The correct key must be present in order for the original information to be retrieved.

Symmetric Encryption

Symmetric encryption refers to the set of Encryption algorithms that use the same key for both encryption and decryption. DES, AES, and Blowfish are some commonly used symmetric encryption algorithms. These algorithms are generally fast performing and can be useful when simple security will do, or when combined with Asymmetric algorithms.

Asymmetric Encryption

Asymmetric encryption differs from Symmetric encryption in that two keys are used as a pair. One key is used for encrypting data, and another is used for decrypting data. RSA is an example of an Asymmetric Encryption algorithm. Nitro-LM uses a combination of Asymmetric and Symmetric algorithms to accomplish the encryption of Flex and AIR applications. By storing the decryption keys on the Nitro-LM servers and only allowing access to it after a valid authentication, sensitive information will be unable to be decompiled. In Nitro-LM, the AssetEncrypter AIR application is used to truly encrypt SWF files and protect them from being decompiled. Nitro-LM also ships with an ANT task AssetEncrypterX.jar that allows you to script the build and encryption process for your Adobe® Flex™ or AIR™ application.


Note: If using AssetEncrypter, login with your Nitro-LM account and the corporate id "encrypt"

Comparing the approaches

If encrypted and properly licensed, your source code cannot be decompiled and is as useless to a hacker or competitor as moldy bread.

 

Comments