HARMAN! What are you doing against DECOMPILERS to stole our apps, source code and resources?

Report · Aug 07, 2020

Hi everyone,

Do you know anybody with a pretty low knowledge can extract your entire app from an APK and use it freely on windows or mac?

Do you know that Internet is plenty of SWF decompilers that can extract your entire SWF content even SOURCE CODE right as you wrote them, with exact variable names, code structures, classes, imports, etc?

An APK is just a Zip file, anybody can extract the SWF, and the XML Descriptor file, and run your app using Air Runtime on any platform Air runtime is supported, your app can even be repacked and signed with a new certificated and published without any inconvenient, so your app can be easy stolen, and if all the source code, resources, images, audio, etc. can be extracted too, you cannot demonstrate that you are the author of that app unless you have registered it on Copyright or something like that.

So the question to HARMAN is, what are they doing to start protecting Adobe AIR APPS from being stolen, or decompiled?, they are thinking on encrypt SWFs?, at least obfuscate them, they are thinking in some kind of SWF binary generation, that only works with the Mobile Captive Runtime to stop working of the extracted SWFs?

HARMAN we must stop using Adobe AIR due to its insecure ecosystem? or we can expect some solution?

The attached Screenshots shows what a free to download decompiler can done with a SWF extracted from an APK

Report · Aug 18, 2020

This is not something that happened from HARMAN. The issue with APK is that the compile is not AOT (as it is on iOS) and it uses JIT instead. There are a few options to make your apk more secure like using obfuscate (secureSWF) that work with mobile apps too, but AIR was never secure when it comes to decompiles.

You should probably start looking in other frameworks if you are concerned with security.

Report · Aug 18, 2020

Hi Leo,

Well indeed I am currently moving to another frameworks right now and started porting of several games, just for this security issue. I used SecureSWF for years until became incompatible with the most recent AS3 BitCode, and it is innocuous due to the sophistication of the SWF decompilers that are able to reverse obfuscation right now.

But certainly it is a matter that concern directly to Harman if they really want to revive AIR and put it on the line of competition with another frameworks like Unity the same way they are already doing with its price, that it is a little bit more expensive than Unity,

The runtime should implement native encryption/decryption just for the SWF embedded, that is not only related with APK, Desktop AIRs apps had exactly the same vulnerability, and IPA as well, they move the AS3 bitcode to the main binary at the root with the same name of the SWF, so it is quite easy to extract the source code from it.

The encryption happens on the packaging process and the decryption happens on runtime directly to the devices memory, some framewrok do that because they care about security and privacy, not only about money.

Report · Aug 20, 2020

I doubt that this will happen any time soon. My company is already moving most apps in flutter to avoid any issues in the long run.

Adobe Community

HARMAN! What are you doing against DECOMPILERS to stole our apps, source code and resources?