3 Replies Latest reply on Jan 8, 2010 8:03 AM by msakrejda

    how to pass data to Flex application (SWF) securely?




      I need to pass sensitive data such as username and password to my Flex application and enable my flex application to support connectivity to an external database, Salesforce.com, etc.


      I know about using URL parameters or using the flashVars. However in either of these method you are passing the data in plain text to the Flex application which is not really secure.


      Even if you consider encrypting the parameters you still need to have the decryptor code in the Flex app which again exposes vulnerability.


      What is the best practice to securely pass the data to the application (Flex SWF file hosted on someone's website)?



        • 1. Re: how to pass data to Flex application (SWF) securely?
          Johnking08 Level 1

          Use HTTPS with HttpService.

          • 2. Re: how to pass data to Flex application (SWF) securely?
            Sam_Flex Level 1

            HttpService is used inside the Flex app, this means that you should hard code username and password into your Flex app and then compile it into SWF.


            Firstly each time you want to update the credentials you need to recompile and secondly this is not safe since the SWF file can be de-compiled.



            The requirement is that to do not include the credential inside the SWF file and somehow securely passed in via flashVars, etc.


            Using SSL secure it the channels (between server and client) so no one can sniff the username and password along the way. However at the end-user's browser again the data will be one right click away. "View source code" on the browser.


            Any other thoughts?

            • 3. Re: how to pass data to Flex application (SWF) securely?
              msakrejda Level 4

              You mean, you want the .swf to be able to connect somewhere with certain credentials, but you don't want to expose those credentials to people with access to the .swf itself? There is no secure way to do this (not just in Flex but in general). The best you can do is hard-code the credentials in the .swf and obfuscate them (which, depending on what you're doing, may be good enough) or proxy the sensitive interactions through the server and keep the credentials on the server.