March 30, 2006

Protecting Flash files from unauthorized playback

You will find other articles relevant to this document in these sections:
Richard Lee @ 2:21 pm

Recently I had to help a friend with protecting Flash files on an educational site. Essentially she wanted to prevent unauthorized use of the sites Flash content. In the past users have been hot linking Flash files, and even posting files on their own sites for their own material.

The first step was to prevent any playback of swf files not on her server, so I decided to use Flash’s _root.url property which tells us the domain on which the current playback is occuring.

Here’s what I came up with:

_authPlayback = FALSE;
 
siteURL = "http://mysite.com.au";
 
if (_url.substr(0,siteURL.length) == siteURL) {
 
_authPlayback = TRUE;
 
}
 
if (!_authPlayback) {
 
getURL(siteURL);
 
}

Unfortunately this won’t stop someone from hotlinking swf files through the OBJECT/EMBED tags

So how do we stop this? Well for hotlinking you would normally resort to apache’s mod_rewrite directive and based on the referrer information rewrite the URL. However, mod_rewrite won’t work with flash swf files since the tag doesn’t submit a referrer when requesting the swf file from the server! Intead, the solution is to setup a password protected directory (using htaccess) and use a bit of php to handle the swf file request’s

< ?php
 
/*
 
swfrequest.php
 
Example PHP code processing a request to a secured swf file
 
*/
 
// a secured directory containing your swf file(s)
 
$secureDir = 'swf/';
 
// the password for your protection setup
 
$password = 'yourpassword';
 
// how many days until a key expires? (0 = only keys from today)
 
$keyExpiry = 1;
 
header('Content-Type: application/x-shockwave-flash',true);
 
for($i = 0; $i < = $keyExpiry; $i++) {
 
$match = md5($password.date("Ymd", mktime(0, 0, 0, date("m"), date ("d")-$i, date("Y"))));
 
// authorize request by checking key
 
if($match == $_GET['key']) {
 
// deliver the file and make sure the user doesn't request files from higher directories
 
$filename = $secureDir.str_replace(array('../','..\'),array('',''),$_GET['file']);
 
header('Content-Length: '.filesize($filename),true);
 
readfile($filename);
 
exit;
 
}
 
}
 
// Otherwise serve up a pre-determined swf with a denied message or animation ?
 
readfile($secureDir.'denied.swf');
 
?>
 
< ?php
 
$filename = 'http://www.example.com.au/swfrequest.php?file=myfile.swf&key='.md5('yourpassword'.date("Ymd"));
 
?>
 
<OBJECT classid="clsid:d27cdb6e-ae6d-11cf-96b8-444553540000" codebase="http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab#version=7,0,0,0" width="200" height="200" id="my" align="middle">
<OBJECT WIDTH="550" HEIGHT="400" >
 
<PARAM NAME=movie VALUE="<?php echo $filename; ?>">
<param name="quality" value="high" />
<param name="bgcolor" value="#ffffff" />
<EMBED xsrc="<?php echo $filename; ?>" WIDTH="550" HEIGHT="400" TYPE="application/x-shockwave-flash" pluginspage="http://www.macromedia.com/go/getflashplayer"></EMBED>
</OBJECT>

We have now successfully implemented two levels of securiity to prevent unauthorized playback. If you would also like to protect your files from being imported into a Decompiler you may want to look at using Flash’s internal import protection or use one of the many third-part encryption tools

Share and Enjoy:These icons link to social bookmarking sites where readers can share and discover new web pages.
  • del.icio.us
  • digg
  • Furl
  • Reddit
  • YahooMyWeb

4 Comments »

  1. Ok so it protects in two ways:

    - Writing a flash movie wrapper, but can only protect if the wrapper is called (in which it checks the URL it is being loaded from).
    Could this method work if the actual SWF that we want to load had the check?

    - Second is issuing an expiring key with a unique unknown composite MD5 key
    Meaning that whoever is linking to the file will have to update the key before being able to load the content after it expires?

    Comment by Cameron Manderson — March 30, 2006 @ 3:30 pm

  2. Hotlink protection on other files (other than SWF as Richard has pointed out lack of support)

    For those of you running CPanel this tutorial may be relevant:
    - http://www.newista.com/tutorial/xskin/HotLinkProtection.html

    For those of you who have access to mod_rewrite it strong at protecting access
    - http://www.splintered.co.uk/experiments/52/

    Just out of interest does that mean if we fluke the HTTP header request to the target server, with a referral URL of their server, we can get around mod_rewrites ability to stop hotlinking?

    Comment by Cameron Manderson — March 30, 2006 @ 3:36 pm

  3. Ok, there seems to be a section of the post missing i’ll have to re-post

    Comment by Richard Lee — March 30, 2006 @ 3:48 pm

  4. A mod_rewrite for images may work the same for flash?

    RewriteCond %{HTTP_REFERER} !^$
    RewriteCond %{HTTP_REFERER} !^http://localhost/.*$ [OR,NC]
    RewriteCond %{HTTP_REFERER} !^http://mysite.com/.*$ [OR,NC]
    RewriteCond %{HTTP_REFERER} !^http://www.mysite.com/.*$ [OR,NC]
    RewriteRule .*\.(gif|GIF|jpg|JPG)$ http://mysite/images/bad.gif [L,R]

    Comment by Cameron Manderson — December 2, 2006 @ 5:52 pm

RSS feed for comments on this post. TrackBack URI

Leave a comment