Use HTTPS with HttpService.
HttpService is used inside the Flex app, this means that you should hard code username and password into your Flex app and then compile it into SWF.
Firstly each time you want to update the credentials you need to recompile and secondly this is not safe since the SWF file can be de-compiled.
The requirement is that to do not include the credential inside the SWF file and somehow securely passed in via flashVars, etc.
Using SSL secure it the channels (between server and client) so no one can sniff the username and password along the way. However at the end-user's browser again the data will be one right click away. "View source code" on the browser.
Any other thoughts?
You mean, you want the .swf to be able to connect somewhere with certain credentials, but you don't want to expose those credentials to people with access to the .swf itself? There is no secure way to do this (not just in Flex but in general). The best you can do is hard-code the credentials in the .swf and obfuscate them (which, depending on what you're doing, may be good enough) or proxy the sensitive interactions through the server and keep the credentials on the server.