Home/ Questions/Q 4266454
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-21T06:45:45+00:00

I need to be able to transmit data from a Flash browser application to

  • 0

I need to be able to transmit data from a Flash browser application to a PHP file on a web server, both securing and validating the data whilst and at the same time trying to prevent unauthorised creation of the message. (I want to try and ensure that the message comes from the application, not a user sending a message via another means).

In a C++ application I would Salt the data, and send the hash of the data along with it, and then validate the hash against the data to ensure integrity and source.

However, in Flash (& Java), applications can be decompiled so that the source code is viewable. So if I used this method, someone could (relatively) easily find the salt, and then create a ‘valid’ message of their own to send outside of the application.

Is there any way I can ‘hide’ this salt code to help secure the transmission? Yes, I know there are code obfuscators, but they don’t fully hide the code, just add another layer.

Or is there another method entirely that could be used to transmit data and validate the source & content at the PHP end?

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    No matter what you do, the code to do it will be there in the client, and all you can do is obfuscate. If you, as Tomasz says, were to have the client authenticate with the server and then receive a salt (or a key from a asymmetric key-pair) you still need to have all the code necessary to connect to that server in the client. So by design, no matter what you do, all the ingredients to do so has to be in the client, and thus on your “hackers” computer. It’s just a question of much harder it would be for a hacker to understand it.

    It’s the same for all kinds of clients, no matter what language they’re written in. If a DVD player can show a decrypted DVD disc on your TV, it has to have the key to decrypt it in memory, which you can find. This is why no-one has made perfect copy-protection 🙂

    EDIT:
    As all the others are saying. Off-the-shelf obfuscator is probably the best way to go, and you could make the client jump through some extra hoops first aswell.

    EDIT2:
    Turns out I didn’t understand Tomasz correctly. If the user himself has the key to authenticate to the server in order to get the hash, that will indeed authenticate that the message was sent from the user, but still not from the application. If this is a matter of avoiding cheating then the hacker is probably already a customer (buying a product or making an account). If what you want is to authenticate the user, then it’s a completely different matter, and that is quite possible. (with it’s own problems of-course)

    • 0