I've ben struggling with this as well. The issue is not with Flex; you'll have this with any client server application. You even have a bigger issue than what you are outlining... The components you have to expose on the server can be directly accessed by a skilled programmer without using your application. And why deal with your code if someone can attach directly to the server and "update" their score directly? I've started using validation anytime a user touches my server. So all of my components have a validation mechanism. Is it fool-proof? Probably not. So not only will you have to validate your interface; you'll have to validate the data being put into the server through your components. Now for the application side. The best way is to use CRCs on the application to know if something has changed in the code before it attaches to your server. I'm not sure how this would be implemented in action script or if its possible. If not, then you'll need some way to validate the code you provide to the end user. Biggest thing... Never rely on the "stupidity" of your end users. There's a small percentage of people that have the skills and that small percentage will be the ones that cause the biggest problems. This is even more the case if there are rewards that people can earn.
________________________________ From: [email protected] on behalf of kenny14390 Sent: Tue 5/27/2008 10:26 AM To: [email protected] Subject: {Disarmed} [flexcoders] The "High Score" Problem I've been doing a lot of research on this topic recently and I'm sort of stuck. For those who don't know about this type of problem, it is the security concern that communication between Flex (a Flash front-end application) and a server through PHP is thinly-veiled and prone to attack. Specifically, when a Flash game tries to tell the server that a user got a high score, an attacker can find a way to fake this high score and achieve the best score (sometimes resulting in a cash prize). The measures that I've been studying seem to only get in the way for attackers, but not thwart them entirely. For example, one could simply encrypt the data that is passed to a PHP file, but the Flash application can be decompiled and the encryption technique is discovered. Alternatively, one could obfuscate the application, making the decompilation produce jargon, but this too can be translated into human-readable text. A server can check data for feasibility by using a timer to detect super-fast computer-generated PHP POSTs, but this too can be overridden by slowing down the auto-POSTs. This is the case for other "human" feasibility checks. If the server checks the POST headers, they too can be faked by proxies. Is the simple conclusion that Flash applications are inherently transparent? There is no such thing as Flash application security? Does SSL patch any of these risks? How can a "high score" problem be overcome? -- This message has been scanned for viruses and dangerous content by MailScanner <http://www.mailscanner.info/> , and is believed to be clean.
<<winmail.dat>>
