Archive for the ‘Software Security’ Category
In AIR 3.0, Adobe released a new feature called Native Extensions. Native extensions are a special .ANE file you include in your AIR project that contains both ActionScript and .DLL/.framework code. At NitroLM, we’ve been waiting for a feature like this for a number of years. Our current C/C++ client library is our most secure and preferred method of talking to our license servers. This Native Extension functionality from Adobe has allowed us to make Adobe AIR a first-class citizen of our ecosystem along with Java, .NET, and C/C++ applications.
While the primary focus of our ANE is on delivering a world-class software licensing and payment solution, we recognize that some people may already have an existing system in place. For those people, we offer black-box encryption capabilities that don’t require our licensing server. You can encrypt your .swf modules using our proprietary algorithms and decrypt and load safely inside native code at runtime. Decrypted module bytes are never exposed to the player where an attacker can get at them. The black-box encryption capabilities will be provided as a $100/year/developer license.
Watch this sneak peek video for an example of our fully-licensed encryption/decryption capabilities.
Every once in awhile, we talk to people who discover a cryptography library in their chosen language and think this is their magic answer to gain code “security”. They’ll go about using block ciphers on important data without really understanding their purpose.
Like any good business, we like to keep an eye on what our competitors are doing in the security space. Yesterday, a new one showed up on the internet and I was asked to take a look at it by our marketing team. My internal reviews of competitor products help our marketing team compare and contrast our products and approaches to security. They’re often asked pointed questions by potential customers and they like to be prepared with accurate answers. Often, we don’t occupy the same segment of the market or have a completely different approach to solving security problems. Sometimes, reviewing a competitors product shows some gap in our own features or functionality. In this sense, we improve, our competitors improve, and the customer wins. This is largely what good capitalism is all about.
However, yesterday, I was utterly disgusted by the product I reviewed. Their library could be completely decompiled. Their algorithms for communicating with the server were plainly visible. Their license was simple XML block that was encrypted using a simple block cipher. All communication was done over http and the encryption key was the exact same key used to validate a product. In order to validate a product, you were sending the key over an HTTP GET request completely in the clear.
This really highlights the problem with Encryption. Too many people view it as a black box and think it will magically increase security. Employed in the wrong way, it does no such thing. If you don’t protect your keys…If you send secret information in the clear across http…If you don’t protect the source code handling all of your magic algorithms, you’re asking for problems. You’re usually no better off using a simple caesar’s cipher than an encryption algorithm.
In Nitro-LM, we make sure we protect our communication library with either native code, or internal code-hiding algorithms that defeat decompilers. We communicate over http, but encrypt all traffic using RSA public-private keys to ensure that ONLY the receiver can read the data. Underneath that top-level of security, our license and all of our license data is encrypted between 5-10 times with randomized algorithms, keys, and proprietary key-hiding techniques. We instruct our customers on proper key-hiding techniques and how to communicate in a secure fashion with our servers. By utilizing data contained in the license, they can further protect themselves from someone being able to operate their software in a hacked manner.
Encryption in itself is not a silver bullet. Encryption plus knowledge and proper key protection can be a winning combination.
View the short screencast above gives an overview of what Library Keys are and how they are used and setup in Nitro-LM.
After the firestorm of web traffic we got from the previous post on How to Hack an AIR App SWF, I thought I’d pass this link on to our readers. David Wolever has done a bit of SWC file hacking to modify a private method to make it protected.
Even though this hack is an extremely useful and a very “white-hat” endeavor, it does highlight what’s possible when working with open file formats and virtual runtime environments like the Flash Player.
Disclaimer – Simplified Logic respects intellectual property rights and in no way supports using hacked or cracked software. What follows is simply an educational exercise with the intent of highlighting the security dangers of releasing unprotected software in virtual machine environments such as the Adobe Flash Player.
It’s fairly common for me to see comments on blogs and forums playing down the security risk from decompiling software. They say things like “Source code isn’t intellectual property”, or “Nothing is 100% secure, so why bother with protection?”. While it’s true that in virtual machine environments NOTHING is 100% secure, there can be great value in taking some measures to protect your software. Many company’s approaches to software security are akin to the Jeff Foxworthy comedy bit about putting the house keys under the mat with a sign on the front door saying “The key is under the mat…” Your only hope is a blind burglar (listen at 20:25 into the clip).
The Online Flex Meetup Group is Organized by John Mason out of Atlanta, GA. His group attracts attendees from all over the USA and the World. We received an Invitation to present to this group on June 10, 2009. The event was recorded and also covered some material that was also presented at the 360|Flex Conference in Indianapolis, IN in May 2009. Enjoy!
I recently had an opportunity to present Nitro-LM to the Atlanta flash user group on the topic of DRM and the Flash Platform. The slides are attached (you’ll have to rotate them in Adobe Reader, for some reason, sliderocket didn’t print them out right-side up) along with the recording of the webex meeting.
Ok this is more than a bit unusual. According to the support documentation at Apple, the latest version of iWork ’09 does not come with any serial numbers when purchased in store.
Hmmm… Why would Apple do this?
In designing the new interface for Nitro-LM Administrator, I’ve had the pleasure of designing the new Report Builder interface. In the current production version of this tool, we have a handful of reports that licensees and customers can use to see various aspects of usage data.
Continue reading “Report Builder – Combining Charts with Degrafa” »
We never thought we would ever see this in a licensed commercial software product, but here it is…