Ok, after reading the devnet article that you read, let me explain. ENTERING SENSITIVE DATA
When you enter a card number in a HTML web site, the user will enter the clear text credit number and then hit the submit button. The data will then be encrypted and send to your secure server (via HTTPS). When you enter a card number in a Flex app, the user will enter the clear text credit number and then hit the submit button. The data will then be sent to the server in a binary format and encrypted. So basically same as situation with both technologies. And yes we do this at my company :) LOADING SENSITIVE DATA The loading is where you have to be careful. Say in a Flex app you load the user's full payment information to display it. DON'T return the full card number to your Flex app! Even thought you might just display the last four digits of the card number, the full card is in memory somewhere. So a potential evil user could use a memory sniffer to find and extract the full card number. But then again you can make this same mistake with traditional HTML/JS web site by loading full card details using an AJAX call and holding the full card number in memory, bad! So basically is Flex less secure? No. Can a developer code it up to make it less secure? Yes. Let me know if you have anymore questions. On Sun, Apr 18, 2010 at 9:19 PM, [email protected] < [email protected]> wrote: > > > the link has everything to do with my question. He gives an example of a > shopping cart/payment system setup in Flex. This raises my question of > whether or not flash is secure enough to operate his phone store in real > life. > > More specifically, user enters information into flash app, which then sends > it somewhere to get processed (presumably some HTTPS address). The period of > time where flash is transfering info to the HTTPS address is not secure, as > described here: > http://www.adobe.com/devnet/flex/articles/flex_amazon_02.html > > Specifically, Miti (a Flex Evangelist, so we should take his word for it, > right?) says: > > "hardcoding sensitive information into a Flex application is a highly > insecure practice". > > So, is it possible that Pandora's (100% Flex) payments system is secure? > > > --- In [email protected] <flexcoders%40yahoogroups.com>, Jimmy G > <angelone197...@...> wrote: > > > > What gave you the impression that UI built in Flex less secure than one > > built in HTML? In both cases the end-user can input sensitive data like > > credit card information and then it is up to you to setup proper > security. > > Like making sure that the client to server communication is done using > SSL > > (meaning HTTPS). If you dont do this in either case, then anyone can > capture > > the data that is being transmitted. > > > > You need to provide more information so we can help you. > > > > Also the link you provide below doesn't have anything to do with you > > question. > > > > Jimmy > > > > On Sun, Apr 18, 2010 at 12:01 PM, garykim...@... < > > garykim...@...> wrote: > > > > > > > > > > > I was under the impression that flex is not a secure UI and that credit > > > card information and other sensitive information should not be passed > > > through flash/flex. > > > > > > When I upgraded my account with Pandora, I noticed the payments system > > > interface was flash. Also, there is the flex store that Conraets talks > about > > > at > > > > http://coenraets.org/blog/2010/02/flexstore-revisited-building-an-animated-spark-layout/ > > > > > > So, are these methods not secure, then? > > > > > > > > > > > > > > > > > -- > > Jimmy G > > Development Team Lead > > > > > -- Jimmy G Development Team Lead
