Is there any best way to implement Encryption in Flex 3 - actionscript-3

we have one application where we are pulling some confidential information from one of the product design tools. So we have used HTTPS as the channel and also we are encrypting the Request Parameters and Some data before we sent it to Web Services. So, Everything seems OK.
But when we gave the application for Security auditing they found we have hard coded the encryption key in source code. They have used Sothink SWF Decompiler to look into my SWF file. They caught the key and raised concern over it.
We have developed this application using Flex 3(SDK 3.4). Is there any best way to use Secret key without being hard coded in source code. If anybody come across this kind of problem, please let me know.
Anyone, please suggest me the best way to use the secret keys in SourceCode without being Hard coded.
Here is my sample code:
var currentResult:String = "";
var strDataToEncrypt:String = "";
var kdata:ByteArray;
var todayDate:Date = new Date();
kdata = Hex.toArray(Hex.fromString("secretKey here"));
strDataToEncrypt =username.toUpperCase() + "#$#" + password + "#$#" + todayDate.getTime().toString();
var data:ByteArray;
data = Hex.toArray(Hex.fromString(strDataToEncrypt))
var name:String = "des3-ecb";
var pad:IPad = new PKCS5;
var mode:ICipher = Crypto.getCipher(name, kdata, pad);
pad.setBlockSize(mode.getBlockSize());
mode.encrypt(data);
currentResult = Base64.encodeByteArray(data);
var token:String = currentResult;

There is no such thing as complete protection with Flash. Your keys have to be either in the code or loaded externally, and at some point anyone who is determined enough will be able to get them. All you can do is make this process so complex that it's not worth the hassle.
Have a look at this question for ways to make your source harder to decompile and read: How to protect swf file from being decompiled?

don't send your data as url parameters. send it with a post request.
if that's not possible you could try implementing a scheme with a public key. but be careful, chances are high that you implement something wrong which leads to even bigger security problems.

Related

Load data via GET from URL in Flash / AS3

I know it's 2016 and this is a question about Flash...
Sadly a lot of the Flash AS3 resources are no longer available as the format has fallen out of favour with web devs and the tutorials I have managed to find are all done on earlier versions of Flash - I have CS6, and some of the functions/commands don't seem to work the same way.
So my question for you S.O gurus...
How do I load any kind of data into a swf movie via a GET URL.
For example :
www.example.com/mymovie.swf?loadfile=myfile.mp3
I know I can do the following to load an external file :
var url:String = "http://example.com/myfile.mp3";
var soundFile:URLRequest = new URLRequest(url);
But instead of hard coding the url how do I tell it to look for the data in the loadfile variable delivered via the incoming request?
The answer in case anybody else stumbles across this :
loaderInfo.parameters['loadfile']
Gets the variable from the url

Cannot use URLRequestMethod different from POST GET in ActionScript

I'm trying to get the head of a page without downloading the whole thing, because it's too heavy and I just need the header information.
The code is this:
var resource:String = "<myResource>";
var urlRequest : URLRequest = new URLRequest(resource);
urlRequest.method = URLRequestMethod.HEAD;
var requestLoader:URLLoader = new URLLoader();
requestLoader.load(urlRequest);
It works if I use either POST or GET, but not HEAD, PUT or DELETE.
I don't know how to solve it or if it has been deprecated.
According to the docs, the constant is still valid but in the first line it says that it is only to distinguish between GET and POST.
Edit:
Finally I ended up doing the request in Javascript and calling it from actionScript. Maybe it is not a great solution, but it works fine.

re-requesting xml data after updating variables in Flash

Having a few problems that after three days of googling and coding I am unable to find any suitable answers so, I'm hoping that someone with far more Flash AS3 knowledge than me can help. I have frame on the Maintimeline of a flash Movie which requests and loads PHP generated XML. The PHP file is passed three variables from Flash which are then used to populate certain parts of the MySQL query in the PHP file. It all works wonderfully and I can populate a myriad dynamic text fields via my loadXML function. here's my code:
var req:URLRequest=new URLRequest("http://example.com/returnusers.php");
req.method = URLRequestMethod.POST;
var phpVars:URLVariables = new URLVariables();
phpVars.Group = myVar1;
phpVars.Company = myVar2;
phpVars.startRow = myStartRow;
req.data = phpVars;
var xml:XMLList;
var xmlLoader:URLLoader = new URLLoader();
xmlLoader.addEventListener(Event.COMPLETE, loadXML);
xmlLoader.load(req);
My problem is that I also have several buttons that, when clicked, will change the values of the myVar1, myVar2 and myStartRow. and thus change the parameters of the query in the PHP file. I would like to resend these to the same PHP file for an updated xml output and for my dynamic text fields to be updated with the new xml data.The only problem is is that I don't know how. As you can problably tell I'm no Tech Wizz but I'd really appreciate if someone out there could help... Thanks in advance
What you are trying to implement is a classic MVC design - in simple words you have a model (database + php) that is dynamic (changes during run time) and you want your view to change according to the changes made in the model (the view is binded to the model)
The solution requires some architectural work that is a bit advanced and will take some learning time , this is a good start : http://www.moock.org/lectures/mvc/

What is background to have ServerHandler.addCallbackElement method?

Frequently GAS users (me too) do not use the ServerHandler.addCallbackElement method or use in a way which does not cover all controls.
What is a background to have this method at all? Why GAS developers introduced it? Is it simpler to pass all input widgets values to all server handlers as parameters?
The documentation does not provide answers to these questions.
I see the following causes
Adding widgets as callback elements reduces traffic between browsers and GAS servers in case of several handlers which handle different sets of controls. Here is a question. How much traffic it saves? I think maximum a few kilobytes, usually hundreds of bytes. Is it worth, considering the modern internet connections speed, even mobile connections.
A form contains a table-like edit controls with multiple buttons and it is comfortable to handle row elements with the same name. This issue is easily avoided by using tags. See the following example. If the tags are used for other purposes it is not a problem to parse the source button id and extract the row number.
Limits of technology used behind the scenes. If there are such limits, then what are they?
function doGet(e) {
var app = UiApp.createApplication();
var vPanel = app.createVerticalPanel();
var handler = app.createServerHandler("onBtnClick");
var lstWidgets = [];
for (var i = 0; i < 10; i++) {
var hPanel = app.createHorizontalPanel().setTag('id_' + i);
var text = app.createTextBox().setName("text_" + i);
text.setText(new Date().valueOf());
var btn = app.createButton("click me").addClickHandler(handler);
btn.setTag(i).setId('id_btn' + i);
var lbl = app.createLabel().setId("lbl_" + i);
hPanel.add(text);
hPanel.add(btn);
hPanel.add(lbl);
lstWidgets.push(text);
lstWidgets.push(btn);
vPanel.add(hPanel);
}
// The addCallbackElement calls simulate situation when all widgets values are passed to a single server handler.
for (var j = 0; j < lstWidgets.length; j++) {
handler.addCallbackElement(lstWidgets[j]);
}
app.add(vPanel);
return app;
}
function onBtnClick(e) {
var app = UiApp.getActiveApplication();
var i = e.parameter[e.parameter.source + '_tag'];
var lbl = app.getElementById("lbl_" + i);
lbl.setText("Source ButtonID: " + e.parameter.source + ', Text: ' + e.parameter["text_" + i]);
return app;
}
Great Question.
"How much traffic it saves?" I don't think we know yet, but I expect it will get more efficient over time. Here is another discussion on performance. Only extensive testing and improvements from Google will really allow us to identify best practices, for now all I can say is that ClientHandlers are clearly going to be better than ServerHandlers whenever possible.
As JavaScript developers I think we are predominantly use to doing stuff client-side, then we think of PHP/ASP as server-side tools. My understanding so far is that our GAS code is actually running both client and server side (at the very least it's calling server side functionality) but it sure seems like there's more going on server-side than we realize, and on the client-side this seems to result in somewhat "compiled" code. I kinda recognize some of this multi-tier deployment from my Java experience.
Since there are a lot of ways of doing the same thing, Google can take advantage of the fact that our code is not directly interpreted (by either side) to do things that would not necessarily make sense if we were writing the code by hand. This is why I think it will become more efficient than other solutions, eventually but probably not yet. For now I'd suggest steering clear of GAS if you are worried about performance. Maybe just for fun try looking at the source of your client-side Web-Apps at runtime (view source). So in order for them to do things most efficiently, I imagine they will benefit by having us define things in a very high-level way. This gives them the most flexibility in how they interpret our code.
To specifically address your second question I personally think of the Handler Function onBtnClick() as running on the Server-Side, whereas the Tags you refer to (and most of the doGet) would be in the browser's engine on the client-side. I can see how the functionality would be much more flexible (efficient and powerful) on the server-side if they have an idea ahead of time as to how much memory they would need to handle specific events/requests. (Clearly if each getElementById() call was running a separate request, that would be like clicking a link to a new mini-webpage each time.)
So now the question is why can't my handler just automatically create parameters with just the stuff I use in my handler function? The only reason we are asking this question in the first place is because there is some stuff in the UiApp which seems to be available on both ends. The UiApp is already in the scope of both the doGet and onClick but the variables defined in doGet are not, so these values need to be either
explicitly saved like ScriptProperties.setProperty() or
put into the UiApp somewhere with an Id or
explicitly given to the Handler function using addCallbackElement()
Notice how you had to addCallbackElement(lstWidget), because it was not created with an app.create... constructor within the UiApp object. My guess is that GAS is implementing XML compliant SOAP calls to a web-service on the Google end, we may be able to figure this out by really studying the client-side source code. Just to reiterate we could also use setProperty() it does not really matter, or even save them via JDBC and then retrieve them with another connection from within your handler function but somehow the data needs to be passed from the Client to the Server and vice-versa.
From a programming perspective there is a lot of stuff available in the scope of your client-side doGet function that you probably would never want to pass to the server, or there may be functions in the scope of the server-side doClick() with the same name as functions on the client-side but they may actually be calls to totally different library functions maybe even on totally different hardware (even though from the developer's perspective they work the same way).
Maybe the Google team has not yet really decided on how the UiApp really works yet, otherwise they would just force or at least allow us to put everything in there. Yet another observation when we call UiApp.getActiveApplication() based on it's name it does not seem like a constructor, but rather a method that returns a private instance from the UiApp object. (Object being a class that was previously instantiated and supposedly initialized somewhere.) I may not have 100% answered your question but I sure did try, any further insight from the community would clearly be appreciated.
Now I may be straying off-topic but I also imagine the actual product will continue to change as they do more to improve performance in the long-term, and if we still feel like we are writing client-side code as a developer then that is a success for Google. Now please correct me if I have stated anything wrong, I have just recently started using these tools and plan to follow up on this question with more specifics as I learn more but as of right now that is my best interpretation.
If you use a formpanel all the sub elements will be sent to your dopost function. With the button as source. And your UIapp will be cleaned.
If you don't want that use a callback to specify what element and siblings will be sent.
This is how the UIapp is designed.

Trigger Google Apps Script by email

I'm looking for examples of a pattern where a demon script running within a GoogleAppsForBusiness domain can parse incoming email messages. Some messages will will contain a call to yet a different GAScript that could, for example, change the ACL setting of a specific document.
I'm assuming someone else has already implemented this pattern but not sure how I go about finding examples.
thx
You can find script examples in the Apps Script user guide and tutorials. You may also search for related discussions on the forum. But I don't think there's one that fits you exactly, all code is out there for sure, but not on a single script.
It's possible that someone wrote such script and never published it. Since it's somewhat straightforward to do and everyone's usage is different. For instance, how do you plan on marking your emails (the ones you've already read, executed, etc)? It may be nice to use a gmail filter to help you out, putting the "command" emails in a label right away, and the script just remove the label (and possibly set another one). Point is, see how it can differ a lot.
Also, I think it's easier if you can keep all functions in the same script project. Possibly just on different files. As calling different scripts is way more complicated.
Anyway, he's how I'd start it:
//set a time-driven trigger to run this function on the desired frequency
function monitorEmails() {
var label = GmailApp.getUserLabelByName('command');
var doneLabel = GmailApp.getUserLabelByName('executed');
var cmds = label.getThreads();
var max = Math.min(cmds.length,5);
for( var i = 0; i < max; ++i ) {
var email = cmds[i].getMessages()[0];
var functionName = email.getBody();
//you may need to do extra parsing here, depending on your usage
var ret = undefined;
try {
ret = this[functionName]();
} catch(err) {
ret = err;
}
//replying the function return value to the email
//this may make sense or not
if( ret !== undefined )
email.reply(ret);
cmds[i].removeLabel(label).addLabel(doneLabel);
}
}
ps: I have not tested this code
You can create a google app that will be triggered by an incoming email message sent to a special address for the app. The message is converted to an HTTP POST which your app receives.
More details here:
https://developers.google.com/appengine/docs/python/mail/receivingmail
I havn't tried this myself yet but will be doing so in the next few days.
There are two ways. First you can use Google pub/sub and handle incomming notifications in your AppScrit endpoint. The second is to use the googleapis npm package inside your AppScript code an example here. Hope it helps.
These are the steps:
made a project on https://console.cloud.google.com/cloudpubsub/topicList?project=testmabs thing?
made a pubsub topic
made a subscription to the webhook url
added that url to the sites i own, i guess? I think I had to do DNS things to confirm i own it, and the error was super vague to figure out that was what i had to do, when trying to add the subscription
added permission to the topic for "gmail-api-push#system.gserviceaccount.com" as publisher (I also added ....apps.googleusercontent.com and youtrackapiuser.caps#gmail.com but i dont think I needed them)
created oauth client info and downloaded it in the credentials section of the google console. (oauthtrash.json)