Flash Security in Facebook (Using FLEX/AMFPHP)

This is my first tutorial so please bear with me.

A recent personal Facebook project, which included a little flash required me to think about security within my flow. My project revolves around my SWF calling an AMF service that I setup. Of course, like most developers struggling with a new language (for me it’s ActionScript3), security was an afterthought of my main goal: to make a “super awesome Flash app on Facebool, ZOMG!”

According to the Facebook Developer Wiki regarding Flash on Facebook the way to secure your Flash app on Facebook is to do the following:

  • To verify that your Flash object was loaded from a Facebook page, do the following. For security, this technique does not embed your secret key in your Flash app:
  1. Get all the parameters whose names start with fb_sig. (Do not include the fb_sig parameter itself.) In Flex use Application.application.parameters to do this.
  2. Strip the fb_sig_ prefix from all parameters, and make sure the keys are lowercase.
  3. Create a string of the form param1=value1param2=value2param3=value3, etc., sorted by the names (not the values) of the parameters. Note: Do not use ampersands between the parameters.
  4. Separately pass this string and the fb_sig parameter itself to your server, where your secret key is stored.
  5. On your server, append your application secret key to the string that was passed in. The following is returned: param1=value1param2=value2param3=value3myappsecret
  6. On your server, create an MD5 hash of this string.
  7. On your server, compare the generated hash with the fb_sig parameter that was passed in. If they are equal, then your Flash object was loaded by Facebook. (Or by someone who stole your secret key.) In this case respond to the flash object with VALID or a similar code. If the signature is not valid, respond with INVALID.

Now this may seem a little long-winded, which it is, but what’s worse is the real lack of informtion beyond that which is found on the FB Dev Wiki.

So let’s begin with the AMFPHP service before moving to the ActionScript or even the Facebook Developer Application.

Before getting into the PHP code for the AMFPHP service, I HIGHLY reccomend that everyone watch both of the AMFPHP tutorials at Lee Brimelow’s gotoAndLearn() tutorial and blog site.

Direct links to his AMFPHP tutorials:

Introduction to AMFPHP: Part 1
Introduction to AMFPHP: Part 2

(more…)

July 2nd, 2009 | Sean Teague | Tags: , , , , , .
Categories: AMFPHP, Coding, FLEX, Facebook, Flash | Comments: 1 Comment