Re: Securing Flash Games.

["Dan Crowley" <dan.crowley () gmail com>]

Flash, being a technology that runs on the client side, will always be
subject to modification. Consider all data coming from the application
to be tainted.

Furthermore, any sort of encryption that you use will be difficult (if
not impossible) to enforce. Any algorithm or key used will still be
stored in the flash file, and all it takes is some reversing to pull
it out. All of a sudden, users can send messages as if they were the
flash game, using your encryption key and algorithm.

Even worse, there are more considerations than the strength of the
encryption scheme. Let's say, for example, that you have a flash poker
game. For the sake of argument, you find some way to make the
encryption scheme impossible for the user to break. Then, a malicious
user (Let's call him Mallet) decides to run a packet sniffer on his
machine. Mallet picks up the packets his computer sends to the game
server. He's down $300, and finally manages to win a piddly $5 back.
Mallet then isolates the packet sent after winning those $5 and sends
it again. And again. And again, ad nauseum, until he's doing very well
indeed at poker. There are ways to prevent this, but still...

Put as much of the process on the server as possible. As long as the
logic is on the client side, it will never be secure.

-- 
Dan Crowley
"One machine can do the work of one hundred ordinary men. No machine
can do the work of an extraordinary man."