The install works seamlessly, and you are up and running in minutes. You can load a file locally from disk or via an url.

After the .swf file is loaded, and decompiled, you can navigate the complete package structure, and all the classes within a package. It is also possible to view the source for single classes. Quite interesting that HP has made it so easy to have a look at your own and other companies applications

The most interesting feature, and the whole point of SWFScan is analyzing the source to find security issues, and it lists the possible vulnerabilities in your application. A job it seems to do relatively well, considering that I have only used it for a short while and not tested it with code that i know has security issues, it works well. I managed to test it on a large application I’m working on, plus a few modules we are using, and performance for the decompile and the analysis was very good.
It is very eager on reporting issues where it is doing string comparisons, and it’s makes it feel a bit noisy, at least if your application is large, and you use words like “security”, “uid” in your methods or variables. But i would rather see them too often, then not picking up on potential issues. It also reports issues like trace() which you don’t really want in your production code.

After having tested it on both Flash and Flex applications, I would say it works as expected. So far I have “only” found one big showstopper, we have a preloader in one of our Flex applications, and SWFScan is not able to decompile the classes in the whole application, only the ones used by the preloader.

SWFScan also highlights a broader issue with Flex/Flash applications, in the past decompilers haven’t really been as available as it is now, and looking at the code it produces it should give most developers a small wake-up call. It gives other people a good insight to how you code, how it is designed and also what services you are using.

This is absolutely a tool every Flex/Flash developer should have in their toolkit.

• Decompiles and analyzes the application to identify security issues.
• Identifies insecure code, and deployment setup.
• No need for access to the code
• And it is Free

Definitely worth trying, finally someone creates a tool to address Flash security.