3 Replies Latest reply on May 30, 2010 11:43 PM by Dajji

    Security Question


      Newbie to Flex & AIR here...


      I'm looking into creating a desktop application using Flex and deploying it using adobe AIR which would connect to a remote MySQL database. I'm looking for some advice on securing the data transmission between the desktop application and the database since the data being exchanged will be extremely sensitive in nature. Obviously the transmission will need to be encrypted using a SSL certificate and HTTPS, but am I overlooking anything else?


      What security concerns should I be aware of with using AIR?


      Are there any "frameworks" out there that will facilitate the implementation of security in Flex?


      Are there any "roadmap's" out there that I should look into about this? White papers?




      Thanks for everyone's anticipated help!

        • 1. Re: Security Question
          Dajji Level 3

          The biggest challenge for you would be to secure your data. You can use cryptography to ensure that data being passed to the server is sure. One of the AS3 APIs for cryptography can be found at http://code.google.com/p/as3crypto/.

          • 2. Re: Security Question
            snkd Level 1

            I think AMF is betterbecause it is faster 10 times than alternatives...



            Reference http://www.insideria.com/2008/09/amf-vs-json-vs-xml.html


            Action Message Format (AMF), which developed by Adobe and is open to the public, is another RPC format that is gaining momentum among RIA developers. Although AMF is mostly used by Flash and Flex developers there are implementations of this protocol in PHP, Java, and even .NET.


            JSON and AMF seem to be far more efficient than XML over HTTP but they also depend on the existence of libraries designed to encode and decode the content. XML on the other hand is supported by all modern languages as XML parsers are included in the base libraries of most RIA platforms (e.g. Flex, Ajax, Silverlight, Curl, Java). In addition, XML is simply easier to understand when looking at an arbitrary web interface.


            So there appears to be good uses cases for two categories of RPC protocols in RIA applications: XML for public APIs and Compact Protocols (e.g. JSON and AMF) for private communications.


            In the case of public APIs, if you are going to publish a Web API that can be used by any application (e.g. Amazon Web Services, Google Code) than you want provide XML interfaces at the very least. You can also provide JSON and AMF, but XML must be present or adoption won't happen.


            In the case of private APIs - those web APIs used by a single RIA application or within the enterprise - you can choose between XML, AMF, JSON or something else. If it’s your application and your not attempting to support public consumption use what ever makes sense to you. In the case of private APIs the use of compact protocols such as JSON and AMF makes a lot of sense. They tend to be much faster in both message size and parsing than XML and provide a significant difference in over all application performance.

            • 3. Re: Security Question
              Dajji Level 3

              AMF is better in many ways. However, one issue with AMF is that it does not uses HTTP protocol. Now anyone can understand what that means. HTTP is an open protocol and supported by everyone. AMF is a proprietry protocol and closed. Using AMF will also have issues regarding firewall settings.