I was just told by Macromedia that my Flash Lite Contest entry NYC Traffic Viewer will be featured on a video billboard in Seoul, South Korea. If you would like to see the whole spot, click here.

I’m very happy to have my work included in There, but I am even more impressed that Macromedia is doing advertisements like this in the markets where Flash Lite is really starting to take hold. Hopefully one day soon US numbers will be as good as their.

MoveOn.org has announced a Flash contest asking designers and developers to create their most compelling Flash content to show how Bush’s Social Security plans are flawed. Republicans have geared up again to drown out voices with the sounds of a $100 Million dollar ad campaign for their plans and it has fallen to us, the Flash geeks, to help get the message out.

There are so many talented Flash designers out there that we should be able to turn some heads and sway some hearts. If any politically-minded designers want to work with me to create a game, let me know, I may be looking to do something fun.

Last week I got the demo version of Silk Mobile’s write2File. write2File is a symbian application that can be invoked via fscommand in FlashLite to save some blurb of text to any local file path. I finally had some time to take a look at it and my first reaction is that it is pretty cool and a definite work around for persistent data in Flash Lite.

My second impression however was that there was a pretty significant security issue with write2File. The application does exactly what it says it will do… A bit too well it would seem. The issue was that the application could write over ANY file. This includes the binary applications that run on your phone. As a bit of a test, I created a swf file for my phone that when run, silently overwrote the write2File application with a text file. Being the perfect combination of stealth, maliciousness and the opportunity for credit taking this seemed to be fertile ground for several exploits (yeah, I put a message in my overwriting text file. Fortunately I had enough self control to not resort to h4×0r text).

Security issues and exploits happen. It is the nature of creating software that can be used by lots and lots of smart people. I do feel this one was pretty obvious, but truthfully it is a very new application going in a new direction for Flash interaction. That said, the important thing for me was that Silk was very responsive. When I sent a message on Sunday I got a prompt reply saying that they would make the fix a high priority. By Wednesday morning the new version of write2File was ready and the current customers had all been notified. I think it is important to remember that a responsible and responsive company is one of the best foils for security exploits. They were able to deal with the issue quickly and effectively without becoming defensive.

The new version of write2File now can only create new files and overwrite existing text files. If the file is anything other than text, the file will not be overwritten. While there may be some ability for mischief for other applications that rely on text files, this threat is far less significant than what was out before. Having accepted Macromedia’s strong stance on security and sandboxing, I still would probably prefer stronger limitations such as a custom file extension that is always placed on the file and unlikely to be used by other applications. Flash does not pay attention to file extensions, but an unusual file extension would make it impossible to overwrite common files while preserving the ability to write to any directory on the phone. In the end though this is Silk’s choice.

There is a very important cautionary tale here though. Any application that you install on your phone does have the ability to affect your phone in very significant ways. The good thing is that our phones ask us for permission before installing new content. That is, except for Flash Lite. In Flash, you can receive a file through MMS, bluetooth, IR or through the web and the moment you access the file it runs. There is no request for permission like other applications. Normally with Flash this is not an issue since Macromedia has always done an excellent job of limiting Flash from the local OS. As we see more 3rd party extensions enter the market for Flash Lite, I do worry about how implicitly safe Flash Lite is.

Write2File will work for any Flash file running on the phone, regardless of which flash it was originally intended to serve. If this is a common model for these extensions, then the risk we run is that a completely ethical enterprise service (carrier, device manufacturer, portal) will bundle one of these extensions with its applications giving the extension wide distribution. Once the extension has broad distribution, perfectly valid SWF files with seemingly innocent code (say a simple game) could also be silently invoking the 3rd party extensions to do less ethical things.

As I’ve been giving a lot of thought recently to using Flash Lite as a presentation layer and using other applications to do heavy lifting I am now faced with the dilemma of wondering if the launch fscommand itself is a security hole for Flash Lite. Can Macromedia (or us for that matter), really accept the security of 3rd party applications as its weakest link for Flash security? I love the fact that Flash just works from the various places you can encounter it on your phone, but it does make me nervous when my nice pretty valid Flash file can also (upon at least one button click) can silently run any other application on the phone. I’ve never had to look askance at a Flash file in the eight years I’ve been using them. I really don’t want to start now.

Now back to your regularly scheduled program (Silk’s write2File review)

Pros:
I can write text files and read them back into Flash (the read back in functionality though is blocked in the demo since it puts in a copyright notice that is not consistent with URL encoding).

The application is tiny! (2K!)

The folks at Silk are fantastic! They have been very friendly even in light of the security issues I was talking to them about. They have been very prompt with any questions I’ve had about their product and are very up front with their license fees. (all of this is truthfully surprising to me these days but very welcome). Yay for good customer services

Cons:
There are cons that are specific to the application, and then there are cons that are more issue with how life just has to work with Flash Lite 1.1

There are character limitations for the text you want to write out. Because the arguments to the launch fscommand are serialized arguments (one argument that specifies the application to launch, the path to the file that you want to write and the content of the file) you can’t use commas. and there was a comment in the sample FLA warning against using spaces in the file content. This can be worked around though by escaping the text before writing it out. If you are going to bring the text back into Flash, you are going to want the text escaped anyways.

In addition to distributing my Flash movie, to use write2File I would need to distribute their application. Beyond that, I need to find out if the user already has the app installed so I’m not constantly making the user go through an unneeded install process. The last major hurdle is the fact that there are 5 versions of write2File each corresponding to one of the different versions of the series 60 OS. Their documentation does make it clear that the only reason for the multiple versions is that each of the phone types just need different UIDs. The problem here is that to install the proper file you now need to either go through a process of asking the user for the type of phone they have (a process that changes every time a new phone comes out), or we are going to have to rely on the user to know more about their phone than is really viable for a mainstream application.

Security potential (’nuff said on that already)

How does it work?

Once you have write2File installed, it is very easy to save text to a file. you just need to know three things. What is the path to the application that you want to run? (in this case it is going to be “c:\system\apps\write2File\write2File.exe.” What is the path and file name for the file you want to write? And lastly, what is the content you want to put into the file. Once you have that information you are ready to issue your fscommand:

FSCommand(”Launch”, appPath add “,” add targetFilePath add “,” add fileContents)

It is important to remember that launch must be run as a button event (the nav keys, soft keys, or number keys) and not to a keyframe. This would seem to be a restriction by Macromedia consent (however unwittingly) to the launch event.

At this point you have a file written, but there has been no interruption in your Flash file. If you want to have some event occur after the file is saved, it is up to you to handle it on your own.

Conclusions:
I am longwinded!

Conclusions (about write2File):
write2File is an interesting applications, but the interface (determined by Flash) makes for a clunky overall experience to me. I’m concerned about the fact that any swf can use the file even if it is not the swf that was distributed with Write2File.

The installation is daunting to me, but I think there could be some interesting things going on if Silk’s next application which will create’s installer .SIS files will have an option for handling the write2File installation in a very slick (but informative) way.