Protect your Flash Lite content with Crytography

Do you need to sell your Flash Lite application and you want to safeguard against your customer from installing the app on more than one mobile phone? Turns out that it is quite simple to implement that if you know a bit about crytography and Flash Lite Actionscript.

Here are the steps:

  1. customer go to your website to register the software with his/her device IME
  2. you use your encryption key to generate an activation code from the unique IME
  3. email the activation code back to the customer

Here is how that works on the Flash Lite application:

  1. when the Flash Lite app runs for the first time, it asks for the input of the activation code
  2. it then uses the decryption key (actionscript) to compute the original IME value
  3. it further reads the device IME: fscommand2(“GetDeviceID”, “id”);
  4. it then tests if the 2 IMEs are the same
  5. if yes, it saves the status in the SharedObject and continue to run the app
  6. if no, it returns an error message and gracefully quits the app

The above technique would work even when customers upgrade/reflash the ROM of their mobile phone, like from Window Mobile 5 to Window Mobile 6, etc as the upgrade doesn’t alter the device unique IME.


~ by brianchau on July 28, 2007.

7 Responses to “Protect your Flash Lite content with Crytography”

  1. Okay but identification depends on the phone hardware in that case, some use to change quite often… I prefer to use phone number identification it is more stable variable. Just make the people register with sms, get their phone number, encrypt a key and voilà!

  2. When the application runs, we need to get the phone number to match with the decrypted activation key. But there is no AS method that can read the handset phone number, at least none that I am aware of. Hence I suggest using the device IME which is hardware unique and that the AS fscommand2 can read the IME. I am open to suggestions though.

  3. I wonder if Actionscript can be decompiled and then fscommands found easily (no matter what obfuscators do to code)… If so, then using cryptography may be just a hassle. Anyway, a good article.

  4. Yes, I know it would come up. True, sooner or later someone would be able to hack into the decomiled code and work out the decryption key. But hopefully they would be a rather minority of the target market.

  5. hi,

    just happen to saw your site while searching for solutions. i am writing a small application that require the device ID.
    i have use the fscommand2(“getdeviceId”, “deviceID”) but it only returns “0” or “-1”.

    i was wondering what i have i missed out in order to obtain the full IME.

    i look forward to your reply..


  6. Hi,
    A good article but this method may not be possible in all the devices due to following restrictions:

    Flash lite cannot determine IMEs of many mobiles and also SharedObject or persistent storage is not available for many of the devices.

  7. Hi,
    My Name is, Daniel
    good overall content
    check out my site:

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: