- How does Flash weight against Silverlight and Html5 in terms of security?
- If I build a website in Flash or Flex, is it possible for a hacker to affect the swf object and compromise the visitor´s computer or affect the way he sees the swf object?
- In the past Flash has not been considered secure and still there seem to be security vulnerabilities. Can a hacker use these security vulnerabilities to affect Flash/Flex/Air applications in general or does the hacker build a Flash application that uses these security vulnerabilites?
Thanks
1) Well, in terms of security, HTML5 would be the ‘most secure’, but really it comes down to the browser itself. Safari can be hacked into in 5 seconds while nobody has been able to hack Chrome yet. When it comes to Flash or Silverlight, both are pretty much the same, but Flash gets more flack because it’s the most used/popular. It’s like trying to compare virus’ for Windows compared to Mac. If someone creates a virus (or a hack in this case), it’s going to be for the most popular medium to reach as much people as possible. I’ve never had a Flash security flaw affect me and Adobe is fairly good at providing a patch within weeks of the issue and making the public know about it to protect themselves. It mostly comes down to common sense; don’t open sketchy emails, websites or attachments.
2) The only way for that to happen is if someone hacks your webserver itself and places their own file there. There is no way to change the way something is displayed without changing the swf itself. What a person can do however is decompile the Flash swf to either reuse your code or find out other security issues (like say server connectivity and such). There are apps like Trillix Flash Decompiler that does this pretty well, but the resulting code is very hard to work with. The good news is that you can obfuscate it using an app like SWFEncrypt that makes your code impossible to read after decompiling. Frankly, if someone can get ‘value’ out of decompiling your code, you aren’t coding your application properly and there’s a security issue in your system anyways.
3) Flash is actually very secure if you don’t listen to idiots spewing anti-flash sentiments because they worship Steve Jobs. Adobe is on top of every major bug and make sure that the bug is public knowledge to help the users (which can’t be said for many companies). There are browsers that sandbox Flash for extra security (Chrome and I think Firefox 4). Essentially, Flash bugs gets more attention because Flash is everywhere, but people forget that there are more terrifying bugs in OS X, Safari and Windows. Plus, most of the bugs mentioned as of late are related to embedded Flash movies in Excel/Word documents. My suggestion is that you don’t open sketchy documents from people you don’t know…