Security is not necessarily a phase of the application development process, but is an issue that you should take into consideration during the entire development process. That is, you do not configure, build, test, and deploy an application, and then define the security issues. Rather, you take security into consideration during all phases.

Building security into your application often takes the following main efforts:

• Using the security features built into Flash Player
• Building security into your application

Flash Player has several security features built into it, including sandbox security, that you can take advantage of because you are building applications for Flash Player.

But, Flash Player security is not enough for many application requirements. For example, your application may require the user to log in, or perform authentication in some other way, before accessing data services. When you must handle security issues beyond those built into Flash Player, design them into your application from the initial design phase, test them during the compile phase, and verify them during the deploy phase.

For more information on security, see Applying Flex Security.

About the security model

The Flex security model protects both the client and the server. Consider the following general aspects of security when you deploy Flex applications:

• Flash Player operating in a sandbox on the client
• Authorizing and authenticating users who access a server's resources

Flash Player runs inside a security sandbox that prevents the client from being hijacked by malicious application code. This sandbox prevents a user from running a Flex application that can access system files and perform other tasks.

Flash Player security

Flash Player has an extensive list of features that ensure Flash content is secure, including the following:

• Uses the encryption capabilities of SSL in the browser to encrypt all communications between a Flash application and the server
• Includes an extensive sandbox security system that limits transfer of information that might pose a risk to security or privacy
• Does not allow applications to read data from the local drive, except for SharedObjects that were created by that domain
• Does not allow writing any data to the disk except for data that is encapsulated in SharedObjects
• Does not allow web content to read any data from a server that is not from the same domain, unless that server explicitly allows access
• Enables the user to disable the storage of information for any domain
• Does not allow data to be sent from a camera or microphone unless the user gives permission