I have an SWF that communicates with a PHP file and ultimately the DB. The PHP checks whether the User has the appropriate Password etc. and if it is accepted, the actions the person performed on the SWF (game) are used to compete with other Players of the game.
send altered data or actions that are illegal in the game with their submition? To clarify: If a character in the game can only move 1 square at a time, can an evil evil hacker/decompiler (who is a Player in the game) tell the SWF to tell the PHP file that his/her character moves 3 squares at a time?
I'm just want a sense that things will be somewhat secure. There isn't any sensitive information in the SWF besides the location of the PHP file on the net.
We are planning a desktop client application with Adobe AIR. The client app will be delivered to our customers with a database, which contains monthly updated marketing data provided by our company. As different customers will buy different sets of data from us, for example, a customer is only interested in marketing data in a specific product category, while another customer need all data in a certain region. After a customer installs this client app, new data will be emailed to the customer every month.
So, the requirement is to keep the data accessible only by the customer who bought it. After reading through AIR's secure local store and database encryption feature, I came up with the following design: each customer will have his own secret key (stored in AIR's secure local store), the secret key is used to encrypt the data that the customer has purchased. Of course, the monthly data that we sent to the customer will be encrypted using the same secret key. So my questions are: is AIR's database encryption and secure local store secure enough for this use case? If someone gets the encrypted database file, can he decrypt the DB?
I have to make connection to the DB and Insert a row based on the data that the SWF sent me...I will need to make it so that the SWF->PHP part is secure by not letting users tamper with data.I don't want to use SSL because its not a suitable solution... what other method is available?
We have a swf file that we want to secure and make available only to authorized users.
I embedded the file in an aspx page and that works fine, since ASP.NET handles the aspx page, I can use ASP.NET authorization features and in the web.config restrict the access to roles="AllowedUsers" for example.
However smart users could still get to the file by accessing directly for example www.mysite/flash.swf. We want to make that kind of access secure.
I have a flex application, running with amfphp and connected to wamp, I want to use a secure connection using ssl, but my whole application is running from the same swf file, would using ssl in that case mean that all the data, being sent and received between the server and client ,encrypted? Because this is not what I'm trying to do, I only want to encrypt the sign up and sign in data.
please note that, I have log-in bar which is visible the whole time as long as the user is not signed in.in other words, I only want to secure some of the data being transferred not every thing.
I have installed Flash Media Server on our server. When I load up the application home page, I see the demo video of a train.
Then I click on the "Interactive" tab on the right hand side. I was SHOCKED to see that I can create a live stream from my local camera without any credentials at all. Anyone who visits this webpage can publish a live video stream on our Flash Media Server?
I have a SWF hosted on a https enabled domain and amfphp installation on the same domain. Now when i let user embed the swf on his on http page, i intend to send some data to amfphp without user seeing it. However i see that firefox with firebug plugin catches the post data easily. How is this happening ? Adobe documents say that if a swf is hosted in https and destination is also under https, its suppose to be secure?
I have an AIR app in AS3 that connects to an online database, checks the login details for the user account, and logs in if all is good. Once logged in, the user can update database info, plus overwrite files in their user directory. So far it's working fine.
Problem is, I've only got it set up to send the raw login data. Once the php receieves it, it's hashed to check the hashed version in the database, but is there a way to hash and then unhash a password sent from an AIR app? Or a way to use https?
Also, regarding sessions, if you have a seesion in a browser, the session closes automatically when the browser closes, right? So how do you make a session close that you've opened via an Air app? I guess you could trigger a close from certain actions within the app, + when the app closes, but say the app crashes, or the computer crashes - will your session still be floating around out there open?
how to make secure SWF files, so that decompilers like sothink won't be able to decompile these swf files at all. i have been assigned some research work to find out the stuff to make swf files highly secured
I'm working on a desktop application that uses API keys for Twitter but AFAIK, AIR applicatioons are easy to decompile. I want the processing of the API requests to be client-side, not server-sided. At most, I want to keep the dependency onto the server to as low as possible.
What I'm thinking is sending the API from the server to the AIR app on the first run. I've already seen Shared secret with API in an Ajax Adobe AIR app but my question is a bit different in that, I want to know how secure ELS is?
How does Adobe work it's way to storing stuff into the ELS? Does it go through multiple encryption sessions before finally getting stored somewhere on the computer?
I have a Flash app that makes periodic calls (using URLRequest and URLLoader) to the same server that hosts it, to check if the current session has expired or not.The problem with this is a man in the middle can spoof a valid response.Is there a generally accepted way to validate a response?Would using 'https' in URLRequest(url) invoke https protocol, would that be sufficient? I'm not a security expert, but would that check if the site is who they say they are, just like the browser?
I was wondering what the best route to take for making a login. The idea is to have the user login with their username and pass on frame 1. If the username and pass exist in the MySQL database then the user will be moved to frame 2. What would be the best way of achieving this? I know AMFPHP is old and I have heard to use ZENDAMF instead, but it seems that any recommendations are 2+ years old when I searched Google.
I have a html pages in which user is logged onin one page he can use swf movies but that movies need to know which user it isso I need to pass vars to swf (username), but that can be problembecause anyone could open swf with submitting username to swfso I need somehow secure user var pass to swf at startif
There's a common strategy for posting to a database where a serverside page is called, passing it querystring data, in order to add entries to a database.
This is not secure though, anyone can decompile the .swf and hack the database by calling the serverside page with their own info. Does anyone know of a secure strategy that does not rely on obfuscation?
I'm building a flash-game-site for a while. The big trouble is Secure Score Submitting System .I search on the net and find some ineffective techniques:
-Secret word method: there is an secret word (crypto pass) on the server and flash gets it from server and uses for crypting score data then sends it to server. But the algoritm that does the crypto job, can be accesible with a swf decompiler. Also getting the secret word from server outside of flash is simple. Not safe!
-HTTP_REFERER method: php (or what else) check HTTP_REFERER data to determine where the post coming from. But with a simply firefox extensions, the referer header can be changed. Not safe!
That is my own idea but can only make cracking harder, not more:
-We can get flash vars with js (:swliveconnect) and send to server. Flash just make a fake submit that makes no effect. Just a trick. But not safe
I want to secure and to load two SWFs files from the same domain, does anyone have any examples and methods applying with allowDomain() that can be used to allow the SWFs to communicate and share data and functions.
I'm working on a project (a game) that will run inside a container which is a separate swf. The purpose of this container is to be a sort of landing/end page for future games that's standardized.
For example: container.swf is embedded directly in the HTML page, and is given a flash var with the location of the game (game.swf).
-container.swf loads in game.swf as a child MovieClip
-At the end of gameplay, game.swf dispatched an Event containing the score and other pertinent game information
-container.swf has eventListeners that activate when game.swf dispatches those events, and stores the score given from the game.swf onto separate servers (in a db of some sort)
Now, we have a security option set up to keep the data from being tampered with as it travels from container.swf over to the database (as it is travelling over HTTP, which is easily intercepted, so a hash is included to verify the delivered contents)
My partner also believes that a similar hash-verification systems needs to be in place for the communications between game.swf and container.swf. However, I was under the impression that, since those communications don't travel over HTTP (and rather travel through the Flash player virtual machine type thing),adding such security is unnecessary (and retrofitting container.swf would be a non-trivial task).
So, which of us is correct? Is inter-swf communication (via eventListeners) inherently secure (since that would require lightning fast hacking in order to intercept the data...nanoseconds at best)? Or is adding another layer of security actually useful?
1) I'm trying to create a Flash Login Form but I guess its working with ASP or PHP. Can I make Flash to check usernames from any local mdb? As long as project doesn't require internet connection, excel or sqlite will be enough for me.
2) This question is related to first question. If I cant use a mdb file it seems I'll need to embed all those 5.000 users in flash project, am I correct? Also projects SWF file is 50mb. It will work from CD source, would that cause any problem? I've made it all in one SWF file for security
i am working on creating a custom application for FMS 3.0 that calls a webservice to validate the user coming in. I have tested the following sample code from the Server-Side ActionScript Language Ref. (See below) The URL has been changed to protect the innocent.
This codes seems to work fine when going to an unsecured site but the innvocation of the service never seems to go out when attempting it over SSL. The Server documentation says that outgoing calls like this should work over SSL. Is this true? If so what do I need to do to get it to work?
After installing FMS 3.5.1, anybody can use my server for live enconding. How can I configure the server to authorise live encoding only from subdomain 1234.4567 or by a password?
We just found out someone is bouncing a pirated feed off our FMIS 3.5.2 server. after months of not having to look at this thing (and not remembering crap about parts of the setup), I'm trying to discover a few things.
First is, how do we tell FMIS which vhost allows live encoding? Second, as I look at the logs and logger.xml, I'm trying to tell how to force it to show the ip's of inbound/outbound traffic. Think I'm doing the right things to the file, but the log for the application/entry point the pirate is using doesn't show what I believe I configured to be the fields that should show up in the log. Finally, trying to figure out how to force authentication of media encoders talking to the server. I'm scanning the online help docs, etc. trying to remember all this stuff.... but if anyone can say "look at this page in the pdf, and this page in the online" to affect what I need to do to lock this up quick,
What's the best way to secure a Flex-BlazeDS application? I've googled it an several solutions came up.UPDATE after question from jsight:Flex would login, so on the RemoteObject I'll set Credentials I don't know if there comes authentication and authorization with BlazeDS (WebORB for instance does and WebORB looked at BlazeDS for their product) SSL not needed 've seen some links on the internet talking about spring security, so I'll check that out.
i recently had a look to the tutorial for custom authentication within a flex application. The login is managed by getting the ChannelSet from a RemoteObject:
private function creationCompleteHandler():void { if (cs == null) cs = ServerConfig.getChannelSet(remoteObject.destination);
[Code]....
After that the channlset can be used with the login command of ChannelSet. How can i insure that this is using a secure connection? I know that there is a amf channel and a secure amf channel. But how to tell to provide the credentials in a secure connection?
I have an application running on flex and php, connected using amfphp, i added a secure channel to services.conf of amfphp [code]how do i know if flex is actually using this secure channel? i tried [code]from the php side and they are both false ... but if i remove these checks it works fine, I'm using wamp, with mod_ssl, and working from localhost
Please is there any open source solution that can help me to secure the source code of a project that is developed by too many developers from being copied of stolen by the team member?My Boss asked me to find a solution that put all the project in the server and allow all the developers to develop on the server from their computers, is this possible?
I need to transfer data from a flash application running in a browser to a server running php. If I use an https connection will that be enough to ensure that the data sent from flash to the server is encrypted and sensitive data can't be sniffed, or do I need to do encryption in my flash application itself?
I'm working with a friend with some changes to their complex flash site after their previous developer jumped ship on them. In the process of making some edits I noticed that the previous developer had exposed all of their data to the world. Any slightly tech-savy user could pretty much read all the table data in their database by visiting a php page.
So here's the scenario I'm trying to solve. - The flash site uses Shared Objects to save users access privileges when they log in successfully. - There are frequent calls to the database to display information (whether logged in or not). The site calls a php page.. lets say... query.php?table="tablename" and returns all tables data... (what a mess). Only specific columns are needed to be returned to the user (whether they are logged in or NOT logged in). there is no check to see if the user is logged in or not when this page is called. so anyone can call a page and get this data. - Only the ADMIN should get returned the full table set as they are the ones that need to see all the data in flash. however the same php query is called for the admin and for the regular user and any non-logged in user.
So. I guess I can limit the data set returned for the average logged in or not logged in user so the more sensitive data isn't shared. But how can I authenticate the logged in admin to share the full table data?
Does anyone know a 100% secure way to transfer a variable from Flash to PHP. I have a SSL on my site, but I've been told that using the loadvars cmd is about as unsecure as you can get, even if your page is secure.One of the suggestions was Flash Remoting, can anyone confirm that this is a safe way to send a secure variable?
I know there are a lot of topics already on this. I have read (hundreds of) them and I'd still like your input.
If I have a flash UI that takes user input and passes it to PHP; is this secure? I have read that, yes, this is okay. I have also read that no, you need to encrypt the data, by say hashing it before sending to PHP. OK, easy, I do this already but.....
In my case I have the data/password stored (when the user inputs it, not in the swf of course) and sent every time I want to access any PHP (using AMFPHP). The PHP check this password each time and only runs if it gets the correct password. So in this case if I hash the password, it makes no difference, it just changes what the password is rather than providing any actual security (well maybe minimal because it's less recognizable).
So can someone extract a password that is sent from flash to PHP?