Regarding Flash/AS3… Well they did not design a secure system thats for sure. But this post is more to discuss the Socket implementation and some minor aspects that might help those in need, rather than reflecting upon security on flash (take a look at this if you’re on that page and test your apps firmly, like this).
There are two Socket implementations available:
XMLSocket (official reference) The XMLSocket class implements client sockets that let the Flash Player or AIR application communicate with a server computer identified by an IP address or domain name. It is useful for client-server applications that require low latency.
Socket (official reference) The Socket class enables code to make socket connections and to read and write raw binary data. It is similar to XMLSocket but does not dictate the format of the received or transmitted data. It is useful for working with servers that use binary protocols.
Common Security Violation in Flex/Flash projects (text=Error #2048: Security sandbox violation)
This is a very common problem, it is due to what we’ve talked before and the workaround is available at adobe main download page , its a script/exec called LCU (Local Content Updated) and basicly here I show how you use it:
>Download it and be sure you can run it (if needed use chmod 755 LocalContentUpdater)
>Call the exec ./LocalContentUpdater -a some.swf, supplying a .swf file, use -a to grant network acess to that file.
If you jave Linux, and a 64 bit amd system it will probably give you an error, but do not fear! I’ve found some guidance on Let’s Bootstrap This World (whom I thank) that solves this minor issue with libstdc++ on Ubuntu 64 bits – original post here.
EXTRA> sometimes it can said that it is Missing libstdc++.so.5, in that case do the following:
cd /tmp wget http://security.ubuntu.com/ubuntu/pool/universe/i/ia32-libs/ia32-libs_2.7ubuntu6.1_amd64.deb dpkg-deb -x ia32-libs_2.7ubuntu6.1_amd64.deb ia32-libs sudo cp ia32-libs/usr/lib32/libstdc++.so.5.0.7 /usr/lib32/ cd /usr/lib32 sudo ln -s libstdc++.so.5.0.7 libstdc++.so.5
It is done. Now you can write security-endangered flash code! (open source style!)
p.s.: Interesting aspect is that the tool LocalContentUpdater is actually open source (download c++ code) so you can integrate it on your scripts/code.
I still get the text=Error #2048: Security sandbox violation ! Did I mention Flash security model is chaotic?
Okay, theres one more thing you must know (apart that security model is chaotic), there’s a policy file that flash requests when connecting to an external socket (either in real-remote-world or in-localhost-world.. doesn’t matter) by calling `<policy-file-request/>’ to the server.
(I’m testing this in a funny way, I have a Ruby on Rails server listening on localhost:3000 and flash binds to it, because Webricks is quite verbose I see that flash tryed a `<policy-file-request/>‘).
A policy file is specified in a crossdomain.xml, if you want you can read more about it here (and official announcement here!), or simply ignore security and write and open policy, like this one I use:
<allow-access-from domain=’*’ to-ports=’*’ secure=’false’/>
Okay, If you do get this so called securuty flash errors, learn one thing there is a log in: /home/username/.macromedia/Flash_Player/Logs in a file policyfiles.txt. I use this guide (official Adobe) to debug the policy errors.
But MORE IMPORTANT THAN ALL ABOVE is the configuration for the trusted sites, this usually solves the problem alone, just go to this file: /home/username/.macromedia/Flash_Player/#Security/FlashPlayerTrust/flexbuilder_plugin.cfg and edit it by adding your application path on the end.
If you are thinking why did I not start by telling you this, the true reason is I think this folder+config is installed by the Adobe-Flex-Builder and not by the Open Flex SDK (I compile by hand, but tryed to use the Flex Builder inside Eclipse once and I think he created this config for the compiler). I’ll sort this out when I have the free time!
What can you code with Flex/AS Sockets?
A million quadrillion things, such as this one.