In a Facebook flash app, you're not suppose to hardcode the secret app key (given to you by Facebook) because the app can be decompiled.
Everyone suggests passing it in to the SWF via flash vars, for example:
// Get FlashVarsflashVarsParams = loaderInfo.parameters; // grab the secret key, session key, user id, friendsList...etc.
However, as this video illustrates:
A user could find the memory location of loaderInfo.parameters and find the secret key value. Correct?
Retrieving data ...