Security: Achievement and score API in AS3

Question

Over the years I've become an uber-nerd when it comes to flash game development. Now I'm thinking about looking into using my skills for helping other game-developers out there.

I want to develop an API in AS3 which will allow the developer to do (as a start) the following:

1. Display a dialogue which lets the user log into their "account" (hosted on my site).
2. Send a score/value to the website and attribute it to the logged in user.
3. Unlock an achievement (achievements will be set up by the developer in the web interface - which is where they will also get a key of some type to use with their API.
4. Display high scores, other players profiles in-game, etc (show basically any stats in-game).

All easy enough to develop straight off the bat. However; where it becomes frustrating is security. I'm not expecting an indestructible solution that I'm fully aware isn't possible, but what would be the most defensive way to approach this?

Here are the issues that I can think up on the spot:

1. The big one - people stealing the API key via man-in-the-middle attack.
2. Highscore injection, false achievement unlocks.
3. Decompiling the SWF and stealing the API key.
4. Using the API key to create a dummy flash application and send random data like highscores.
5. Altering the API itself so you don't need to be logged in, etc.

One thought I've had was converting my API to a component so there's no access to the code (unless you decompile). The problem here is it's just not friendly to the developers, though it would allow me to create my own graphics for the UI (rather than coding many, many sprites).

Private/public keys won't work unless there is very good protection against decompiling.

I'm beginning to wonder if this idea is a dead end.

Any advice on securing this (or parts of it) would be great.

Answer 1

1. Against man-in-the-middle HTTPS seems the only option. It may have its vulnerabilities, but it's way better than any home-made solution. The problem that you'll need actual certificate from authorized center, because ActiveX-based Flash plugin will not trust self-signed certificate.
2. Should not be possible without decompilation
3. SecureSWF with reasonably high settings (code execution path obfuscation and encrypted strings) should beat most decompilers. Sure, SWF can be examined with hex editor, but this will require very determined hacker.
4. Should not be possible without decompilation
5. API should be on server and any API function would require user context (loaded by HTTPS)

Also add encryption to flash shared objects\cookies. I had successfully altered some savegames using simple hex editor, because they were just objects in AMF format. Encryption will depend on SWF decompilation, but since we are using SecureSWF... Or move savegames on server.

Answer 2

client side is never secure enough, so i'd suggest to take all the logic to the server, reducing client to just UI.
If it's impossible due to network timeouts - send scores/achievements only with the log of pairs "user_action - game_state" and verify it on the server.

Answer 3

Look at this thread first if you haven't done so already: What is the best way to stop people hacking the PHP-based highscore table of a Flash game