I am designing the application in Flex that connects to some web services to perform some financial transactions. Web services are secured using https protocol and are asking for user token created at login on each request. This is used to authenticate and authorize the user. So far so good.

The trick part is that not all of our web services are coarsely grained. To give you an example, we can have two web service methods: EnoughFounds and Transfer. So, only after the method EnoughFounds replies “true” will I execute Transfer. This logic is programmed inside the Flex application code.

The scenario I am presented is the following: What if someone downloads the application and decompiles it. Than modifies the code so the step EnougFunds is not executed. Or maybe writes a completely new client maybe in even other technology that will execute Transfer without passing through EnoughFunds step. On executing Transfer, user will be authorized and authenticated on the server; but since he is using his real credentials, he will be able to execute the Transfer. The check that he skipped belongs to business logic and not security domain. I need somehow to make sure that the code that is executing the application is unmodified Flex code that I wrote and user downloaded. How can I do that? I know I can rewrite services so that the sequence is executed on the server, but that implies significant effort and I am looking for some other kind of solution.

It seems to me that there must be some security mechanisms that would resolve this particular problem.

Please note that I am not looking for advice on best practices. My requirement is not to change anything on the server-side. How can I secure the sequence on protocol level, without changing services?