When creating ecommerce applications in flash, is there any extra precautions that need to be taken to make it secure other than having it on a secure ssl setup with an ssl certificate? I was asked this, but was not sure of the security status of flash. If anyone knows or could point me to info regarding this, it would be greatly appreciated. TIA for any help.

Well, I'm not sure what kind of security exactly you're talking about but Flash isn't really capable of automatically installing viruses or anything like that as far as I know. The one thing it can do is use fscommand(exec,""); to execute a program. The only catch to this is that the program must be in a certain directory below the flash file and that directory must be named a specific name AND the Flash file must be an exe. Swf files won't do it. The only other thing is flash writing to that local folder thing, but that's not a risk because it can't compile viruses or anything. Any file it writes will be safe.

I mean secure for E-Commerce applications. if the page is on a ssl server is everything viewed on that page secure ie. safe to use for transfer of sensitive data.

if all your calls are made through 'https' i don't see what difference there would be with normal ssl-traffic ... then again I've never tried that, so ... if you get that running, it will proof your pudding *stupid word-joke* ;)

Flash movie in the web is "in no ways" secure... You have the right tool, and it's not that hard to see what you are sending out... :)

That's shocking news CB ... but as in 'musting to know' ... and googling 'flash security' only gets me pages more than 1 year old (...) ... I'd really like to know what those tools are, how advanced operating them is, and if it breaks standard security offered by a 'secure socket' (... or can secure sockets not be made in flash?)

(and is it a windows-only? ... cause then I don't care anyway ;) )

Well... I am just speaking generally... There are lots of packet sniffers out there... If the site is not residing on the SSL, you can use the packet sniffer to capture what people are sending out and where the data is going and so on... There are similar tools that you can use to capture the transaction over the SSL as well... (Or, wait until the transaction is not on the SSL any more...) and I am not saying any further cuz I just don't have any experience... I just remember what I have read... :)

Yeah, well nobody does apparently ... or they don't want us to know ;) ... maybe I should search better ... call-in again when I find any.

flash over https is as secure as any other web app over https. what you should not do is store important logic in the swf that will compromise you bussiness, since the swf will still be downloaded to the client and can be decompilled