Flex/Air secure client-server communication

0
votes

I am looking at ways to implement a safe client-server communication via HTTPService requests in Flex/Air. The server side is implemented in PHP, whereas the client could be running on a desktop (Air) or on a browser (flex).

The simply usecase that I need help to secure is -

Desktop client sends a request to the server and gets a response

  1. How can I ensure at the server side that the request is being sent from a valid client? From what I could research, Flex doesn't allow for manipulation of request headers so I am failing to manipulate them. All request queries can be seen by using any network monitor, so having a unique (yet static) parameter won't really hit what I am trying to achieve.
  2. On the other hand, the server can be mimicked by simply manipulating the hosts file. At the client end, how can I ensure that I am receiving the response from the actual server and not from an alias added to hosts file
1
securityapache-flexairclient-server
Regarding number 2; how would someone aliasing your domain using a hosts file actually hit your actual server code? Will just using HTTPs solve your issue?JeffryHouser
@Reboog711 Aliasing won't hit my server code, but could fake/prevent things like license validation etc.Rohan
So you're creating some type of DRM scheme, then? DRM schemes from companies like Microsoft, Apple, and Adobe are all cracked easily. I say it isn't worth your time; you're better off changing your business model to something that does not require limiting your customers.JeffryHouser

1 Answers

1
votes

My solution is to encrypt and decrypt data on the both sides.

In the Air data you need to send should be encrypted with as3crypto and send to server where PHP whould decrypt it, Look here in the last post for the working code example decrypt a as3crypto encrypted text in PHP, you can do the same in case of server to client communation.

So you need to keep same Key and IV for both server and client sides, To be more secure you can embed them as binary data in the project http://www.ghostwire.com/blog/archives/as3-embedding-binary-xml/, it's wouldn't be easily viewable for AS3 decompilers, but anyway take for the notice that it might be hacked by the advanced guys.