The "High Score" Problem
I've been doing a lot of research on this topic recently and I'm sort
of stuck. For those who don't know about this type of problem, it is
the security concern that communication between Flex (a Flash
front-end application) and a server through PHP is thinly-veiled and
prone to attack. Specifically, when a Flash game tries to tell the
server that a user got a high score, an attacker can find a way to
fake this high score and achieve the best score (sometimes resulting
in a cash prize).
The measures that I've been studying seem to only get in the way for
attackers, but not thwart them entirely. For example, one could simply
encrypt the data that is passed to a PHP file, but the Flash
application can be decompiled and the encryption technique is
discovered. Alternatively, one could obfuscate the application, making
the decompilation produce jargon, but this too can be translated into
human-readable text. A server can check data for feasibility by using
a timer to detect super-fast computer-generated PHP POSTs, but this
too can be overridden by slowing down the auto-POSTs. This is the case
for other "human" feasibility checks. If the server checks the POST
headers, they too can be faked by proxies.
Is the simple conclusion that Flash applications are inherently
transparent? There is no such thing as Flash application security?
Does SSL patch any of these risks?
How can a "high score" problem be overcome?