Thanks Claudiu, I have found a PDF of the presentation and on page 4 it says the following about protecting sensitive data through embedding:
* Most decompilers don’t look at embedded data. * Given that SWF is an open file format, nothing is really stopping them from doing this in the future. * Useful for quick/dirty storage of WebService credentials. So this is definitly better than storing the keys in plain text format, but still easy to crack. Any other suggestions. Thanks, Haykel Ben Jemia Allmas Web & RIA Development http://www.allmas-tn.com On Mon, Sep 26, 2011 at 11:33 AM, claudiu ursica <the_bran...@yahoo.com>wrote: > ** > > > You can embed the keys instead of keeping them in plain site. > > check this session I think you will find some useful stuff: > > http://tv.adobe.com/watch/360flex-conference/encrypting-flex-protecting-revenue-by-andrew-westberg/ > > C > > ------------------------------ > *From:* Haykel BEN JEMIA <hayke...@gmail.com> > *To:* flexcoders <flexcoders@yahoogroups.com> > *Sent:* Monday, September 26, 2011 12:00 PM > *Subject:* [flexcoders] Restrict access to an API to only allowed > applications > > > Hi, > > I'm looking for the best and most secure way to restrict access to a web > API to only allowed applications. The best option I found is to use 2-Legged > OAuth where applications would get a consumer key and a secret key. The > problem here is that SWF files can be easily decompiled and the keys > extracted. My questions here are: > > * Does anybody know a way to protect the keys? > * Is there another authorization mechanism that is better suited for such > client applications in general (Flash, JavaScript ...) > > Thanks. > > Haykel Ben Jemia > > Allmas > Web & RIA Development > http://www.allmas-tn.com > > > > > >
