| Compare Life Insurance We search 300 life insurance plans Get our cheapest quote online now! www.protected.co.uk |
I have been doing research on creating FB applications but have been hindered by FB developer forum comments stating that’s its a unsecured environment to develop for in regards to Flash/Flex development. So is it a warn off or are there real security gap implications to these roomers.
Well taking into account that any so and so can decompile a swf therefore crack down into the code namely where your AS3 is connecting to the developer api key. This would mean that any decompilation savvy individual could get a hold of your api key and deconstruct or de-anything your application/s.
Now that just ruined my morning let me know your thoughts
|
||||
GET QUOTE
I am currently working as a freelance Flex, Flash and ActionScript Developer. Get in touch regarding my rates and availability for projects. Check out Labs to see my most recent work along with my experiments
October 8th, 2007 - 9:38 am
Don’t listen to the player haters (Flash Player haters that is). There isnt a decompiler for AS3 at the time of this comment. There is one for Flash AS2 that shows you stripped down variable renamed code fragments. If you can understand it then you can write the code in the first place. Your app is as secure as you make it. It is more secure by default than HTML which is available by “View Source”. There are also system checks and balances all along the way.
BTW I’m not sure what site you would use to put an API key on the page. Maybe flicker? If that is the case that key is available in View Source on html. If you need it more secure you need to setup a login that does not compile any sensitive information in the swf.
October 9th, 2007 - 1:11 pm
Thanks for the reply judah very informative
November 2nd, 2007 - 9:07 pm
I’m not sure what an api key is but its my understanding that flash has a sandbox that prevents other programs on different servers from communicating with the swf. Wouldn’t the person need access to the server to do something?
November 20th, 2007 - 7:36 pm
No the api key is instilled within the swf itself in the actionscript and because swfs can be decompiled there is s risk of the api key that facebooks seal of application security can be used to copy or even destroy the app. How ever theres no such known swf decompiler for flash player 9 so we are safe as for now
November 23rd, 2007 - 8:09 pm
I have a flash app on facebook. I use SWF Encrypt 4.0 to lock down the .swf and use Flash remoting for the communication… thats about as secure as you can get it.
January 5th, 2008 - 12:58 am
acctually there is a decompiler that partially supports as3. it’s called flash decompiler 3 trillix.
January 6th, 2008 - 10:30 am
Nice one Joeboxer any chance we can take a look at your app?
February 4th, 2008 - 12:05 am
I read your blog in a regular manner and just love it
hope there will be more postings from you, keep on going
greetz, carmella
April 2nd, 2008 - 1:46 pm
How use facebook as3 api with flash cs3
April 9th, 2008 - 8:00 pm
I imagine you could just load up the api key from a php script or other programming language, into the swf application. You could protect the script by POST’ing a big random variable to it just to check that it’s coming from the right person and not a hacker, then return the api key to the swf if the var checks out. Not sure though as I haven’t looked into FB developers applications before.
June 4th, 2008 - 8:54 pm
Darren has the right idea. Keeping all sensitive info external from the swf is the only way to go, AS 3 Decomplilers or not.