Given the nearly plain-text nature of Flash, from a security standpoint, we must assume that your SWF can be decompiled into human readable format. That said, how can we ensure the validity of any online calls? For example, recording a high score might make a call similar to this:
var url:[String](http://www.google.com/search?q=string%20inurl:http://livedocs.adobe.com/flex/201/langref/%20inurl:string.html&filter=0&num=100&btnI=lucky) = "http://someserver.com/tracker/scoreTable.aspx?mode=record&score=" + _userScore + "&checksum=" + MD5.hash( /* stuff */);
var loader:[URLLoader = new [URL="http://www.google.com/search?q=urlloader%20inurl:http://livedocs.adobe.com/flex/201/langref/%20inurl:urlloader.html&filter=0&num=100&btnI=lucky"]URLLoader](http://www.google.com/search?q=urlloader%20inurl:http://livedocs.adobe.com/flex/201/langref/%20inurl:urlloader.html&filter=0&num=100&btnI=lucky)( );
loader.load( new [URLRequest](http://www.google.com/search?q=urlrequest%20inurl:http://livedocs.adobe.com/flex/201/langref/%20inurl:urlrequest.html&filter=0&num=100&btnI=lucky)( url ) );
You can do all the MD5 hash checking to make sure the data received matches what was sent, but how can you verify the validity of the call? For instance, one could decompile the SWF and figure out how to build the query string manually, or they could reverse engineer it from monitoring the internet calls from the SWF itself. They could even use a run-time memory editor to change the figures that store the information while playing the game, so that when the recordHighScore call is made, it sends 1,000,000 instead of 1,000.
How does one authoritatively validate data and protect against abuse?
