A (long) while ago Adobe announced - to the joy of many in our industry - that they will discontinue the support of the Flash Player by 2021. Around the same time all the major browsers announced plans to discontinue integration of the Flash Player. Some already did so well ahead of time (Apple with Safari 14 for example).
Reality check
While this may have not have been an unforeseeable step to force companies to adopt more modern frameworks (like Angular) many struggle to update their products in time for the 2021 deadline. While updates of customer facing applications are likely to be completed by beginning of 2021 many internal applications will not be ready in time. Enterprise IT usually contains many applications that will be seen by non-employees. Those system often won't get updated for many months if not years (some may be EOL with no updates at all).
This was also true for applications that I use on an (almost) daily basis. After a bit of research on this topic there were only a hand full of solutions:
- Rewrite the application
- Hire someone / outsource the rewrite of the application
- Purchase a custom browser (with a proprietary build of the Flash Player)
- Use a VM with "hacky" and seriously insecure configuration
All of those options are not ideal: rewrite would take too long, paying for a rewrite blows the budget, a customer browser would also put a strain on the budget and using a virtual machine has many more drawbacks than just the risks related to security of the work environment.
There needed to be another solution! And there was!
DISCLAIMER: USE AT YOUR OWN RISK PLEASE BE AWARE THAT ANY INFORMATION PRESENTED HERE MAY BE CONSIDERED INACCURATE, DANGEROUS OR ILLEGAL DEPENDING ON YOUR LOCATION. ALSO NOTE THAT ANY LICENSES FOR INVOLVED SOFTWARE AND LIBRARIES NEED TO BE CONSIDERED AND FOLLOWED.
A customized, old "Chromium" browser with an outdated version of the PPAPI-Flash-Plugin as well as a custom extension for at least some security.
Building the browser
As a base I used an old version of the Chromium browser - VCS revision 344925 to be exact. The archived versions can be found here: https://www.chromium.org/getting-involved/download-chromium
For simplicity I "transplanted" the PPAPI-Flash-Player which was bundled with a Google Chrome browser. Again I used an older version (50.0.2661.75) which you will undoubltedly find when searching for it on google.
cp -R Chrome.app/Contents/Versions/<VERSION>/Chromium\ Framework.framework/Internet\ Plug-Ins Chromium.app/Contents/Versions/<VERSION>/Chromium\ Framework.framework/
You might ask - with reason - why not just use Google Chrome? Well, Chrome's built-in auto update as well as "phone-home-features" would likely interfere with my plan later on.
For some reason Chromium could not find the PPAPI-Flash-Player plugin automatically but a CLI option did the trick. This meant that I had to change how the app was started (adding the CLI option to the defaults). On macOS this is done as follows (other OS allow similar configuration).
In the file Chromium.app/Contents/Info.plist the value for key CFBundleExecutable needed to be changed. For simplicity I created a new launcher script in Chromium.app/Contents/MacOS/launcher (don't forget to mark is as executable) with the content:
#!/bin/sh
RealBin="Chromium"
AppDir="$(dirname "$0")"
exec "$AppDir/$RealBin" \
--ppapi-flash-path=\
"$AppDir/../Versions/<VERSION>/Chromium Framework.framework/Internet Plug-Ins/PepperFlash/PepperFlashPlayer.plugin"\
--ppapi-flash-version=19.0.0.226
To my surprise this already worked quite well. BUT: as I am aware that an outdated browser with an outdated Flash version is quite a risk I need to take appropriate steps to lock down the browser.
Restricting and securing the browser
As I only need to access a very specific set of flash website (internal to the organization) there easy steps to secure the browser:
- Use an allow-list for URLs that the browser will open
- Don't register the browser as a default browser
- Don't register the browser to open any file type of the OS
- Restrict navigation in general
For the allow-list I chose to use an existing chrome extension and adapt it to my needs and then auto-load it through a launcher option. The extension I based my solution on can be found here: https://github.com/glitchedmob/Chrome-stay-focused (the pre-built extension is located in the "build" directory. In order to change it from a "block-list" to an "allow-list" approach some changes in the code are necessary.
class Controller {
constructor(store, view) {
this.store = store;
this.view = view;
this.blockSites();
}
blockSites() {
let atLeastOneMatch = false;
for (let site of this.store.sites) {
if (window.location.href.includes(site)) {
atLeastOneMatch = true;
}
}
if(!atLeastOneMatch) {
this.view.addApp();
}
}
}
Furthermore I needed to add the allowed URLs to the configuration of the extension. All that was left to do was to package the extension with the browser. A few simple command line options of chromium did the trick:
--load-extension="$AppDir/../Extension"
Also the contents of the extension (content of the "build" folder) needed to be copied there.
Last but not least I removed all capabilities of the patchwork browser to register itself as an application to open any sort of document. This had to be done inside the application configuration file:
Chromium.app/Contents/Info.plist where I removed all elements of UTImportedTypeDeclarations.
Conclusion
While I still consider this an imperfect solution to the problem it still checks all the boxes: cost, flexibility and (a minimally) secure. On the other hand some of the pressure to drop flash completely fades - in the positive and negative sense.
In case you liked this post consider buying me a coffee (so I can write the next one).