XOR Cipher Encryption in ActionScript 3

I typically use an external XML file in all my applications to store configuration variables outside my compiled SWF file. This allows me to make changes to those variables without needing to recompile the SWF application. This is really helpful if you’re deploying an application to multiple environments (development, staging, production). You can deploy the same application and just have a different XML file in each environment with different values.

The values in the XML file are easily read by anyone using a proxy like Charles or Service Capture. Therefore, I decided to put a simple encryption on the values I didn’t want people to be able to easily read. XOR Cipher encryption is a simple form of two-way encryption using a known key. This key would be compiled into your SWF application. So the only way someone could decrypt your variables would be if they decompiled your SWF or guessed the key. Obviously this solution is not hack proof, but it provides a road block for anyone trying to get at these values.

The following is an ActionScript 3 class that performs this XOR encryption. This encodes/decodes the XOR encrypted value using the Base64Encoder in Flex, so if you want to use this without Flex you’ll need to remove that dependancy. The xor() method performs the XOR encryption against the key. If you run a string through this method it with return and encrypted string, and if you run that encrypted string through this method it will return your original string.

package com.dannypatterson.utils {
    import mx.utils.Base64Encoder;
    import mx.utils.Base64Decoder;
    public class XORcipher {
        public static var KEY:String = "eVBHOulunx8A6spikeRQ9UEgyaXINTyzpn3SJ7FSzmwSlewTWI3";
        private static function xor(source:String):String {
            var key:String = KEY;
            var result:String = new String();
            for(var i:Number = 0; i < source.length; i++) {
                if(i > (key.length - 1)) {
                    key += key;
                result += String.fromCharCode(source.charCodeAt(i) ^ key.charCodeAt(i));
            return result;
        public static function encode(source:String):String {
            var encoder:Base64Encoder = new Base64Encoder();
            return encoder.flush();
        public static function decode(source:String):String {
            var encoder:Base64Decoder = new Base64Decoder();
            return XORcrypt.xor(encoder.flush().toString());

21 thoughts on “XOR Cipher Encryption in ActionScript 3

  1. Saravanan R

    Hi Patterson,
    First i will introduce myself .I’m working as a senior flash programmer in India.
    The company which i’m working is an e-publishing company.
    In our project we keep the content as a external XML file. I thing, XOR will help us . I would like to implement this in our project. From the post i’m not get cleared how to implement this so I request you to give me more detail about this by using AS3 and also with example.


  2. Danny

    I’m not sure what isn’t clear. If I were implementing a solution like you describe, I would start by encoding your XML file. Take the following XML sample:

    <content>Hello World!</content>

    If you ran this through the XORcipher it would look like this:


  3. Pingback: raid.mul-timedi-a.net

  4. Saravanan R

    Hi Patterson,
    i explain my doubts. For example consider a xml named as “a.xml” which contains Hello World!. I have a script to do xml processing named as “xmlProcess.as”. My doubt is how can i map both (a.xml and xmlProcess.as) by XOR in order to do encode and decode.

  5. Danny

    I’m not sure whay you’re not getting. Here is the code to load the XML file and decode the XOR ecrypted value. This example is loading the Hello World XML I listed above.

    var loader:URLLoader = new URLLoader();
    loader.addEventListener(Event.COMPLETE, onLoad);
    loader.load(new URLRequest(“data.xml”));

    private function onLoad(event:Event):void {
    var content:XML = XML(URLLoader(event.target).data);

  6. Just Saying...

    Why would you extend the key in this manner? It probably isn’t an issue for most XML, but performance could suffer if this method was used for very large strings or is called repeatedly for a very large XML file. Here is a better implementation; however, several other performance optimizations are possible, which are left as an exercise for the reader.

    //new and improved, but still not optimal…
    private static function xor(source:String):String {
    var result:String = new String();
    for(var i:Number = 0; i < source.length; i++) {
    result += String.fromCharCode(source.charCodeAt(i) ^ KEY.charCodeAt(i % KEY.length));
    return result;

  7. Atin

    Hi, i tried using the same the same thing to encrypt one of my xml of about 4 mb size but it failed to do it. Any help in this respect?? In all i just need something to encrypt in asp.net and decrypt in actionscript 3.

  8. Slash

    If i used XORcrypt within Flex to encrypt say a URL Variable. Would it be possible to decrypt the variable in ASP? If using both the same encryption string key i would imagine it could be done but not got a clue how one would do it?

  9. Jillian

    “So the only way someone could decrypt your variables would be if they decompiled your SWF or guessed the key.”

    It’s actually extremely trivial to decompile SWF files. There’s a free tool from HP to do so. (Google: SWFScan) So, expecially if you put your key in the source code (NEVER a good idea really), this would be pretty easy for a bad person to break. Even if the key is secret, XOR is an extremely weak form of encryption and wouldn’t take a lot of effort.

  10. Cardin

    I think this is a very good crypto program for Flash. With at least 3 options of cryptography out there for Flash: ActionCrypt, XORcipher, and AS3Crypto, it sets people guessing which cipher was really used for encryption.

    Though finding out will be really trivial. Actionscript is too easily decompiled, and once you know the method, and the Key, it’s just a matter of compiling your own program to decrypt it.

    Even if you use BlowFish, or SHA-256, it’s useless. All cryptography are equal in Actionscript decompilers.

    I still have to give my thanks to for the XORcipher though. I got it working under a minute, compared to my 3 weeks for the AS3Crypto. It appears its BlowFish implmentation has issues, and so does Flash’s ByteArray implementation.

  11. Roma

    Thanks for this post.
    I have a question though. I’m developing flash apps, using FlashDevelop+Flex SDK.
    And this IDe can’t see mx.utils.Base64Encoder class.
    What swc do I need to add in order to make it all work?

    (How can I subscribe to comments here?:)