I’ve heard that checking a hard-coded password in Flash in a big security no-no since users can decompile the SWF and find the hard coded password. What I’m curious about is if its possible to decompile a SWF, make changes, recompile and then insert back into a web page?
For example:
Say that from within a flash application I pass the current user name to a web-service and get a list of groups that user belongs to. Based on these groups certain content is displayed. Basically these steps:
- Pass user name to a web service.
- Get list of groups back from web service.
- Display content based on those groups.
Would it be possible for someone to change that flash app to just display all content regardless of the groups they belong to? Something like this:
- Pass user name to a web service.
Get list of groups back
from web service.Display content based on
those groups.- Display all content
Why would they bother to change the flash app, instead of just querying the web service directly? But yes, someone could change the flash app.
edit: If you’re talking about content in the flash app being displayed (not content from the web service), then they could additionally impersonate the web service. SSL/TLS doesn’t really help here (the user could just accept the invalid certificate, or load his own CA).
You might be able to make this case work by encrypting the content, and having the web service deliver the relevant encryption keys. Of course, once the key is delivered, the user has it: you can’t securely revoke access.