Adobe frequently updates the Flash Player software security model to improve the security of the Flash Player environment. However, that only addresses half of the overall solution to help securely deploy applications that run in Flash Player. As the web developer, you must also correctly leverage the tools provided by the ActionScript language and the Flash Player platform to help ensure that your SWF files are more secure. Poor programming conventions can expose SWF files and the sites that host them to web attacks. Adobe provides many resources to developers such as their Secure Programming Guide to assist with developing more secure code.
Peleus Uhley wrote a nice article that outlines many of the security considerations associated with common tasks and provides samples of techniques that can be used to help secure code against those threats. Links to the full documentation are provided throughout the article for further reference. These techniques are designed primarily for the Flash Professional development environment but they can also be applied by Flex developers.
His article covers several potential threats to SWF files such as:
- Cross-domain privilege escalation
- Malicious data injection
- Script injection into the browser
- Insufficient authorization restrictions
- Unauthorized access to data in transit
- Unauthorized local data access
- Cross-site request forgery
- DNS rebinding