I am currently working in 2 directions at once on unrelated projects, so if I ask a strange mix of questions don't be surprised.

I finally broke down and got Flash Pro and dug into the books and the tutorials, and have a fully functioning game made (tho I haven't finished the recordkeeping via SQL yet)

The problem I have now is, if I embed it somewhere on the group's site, any average user can come along and literally download the entire game (SWF) and take it apart, redesign it, whatever they like.

How is it that some Facebook games are (I'm told) done entirely in Flash but manage to host a secure game where the only thing the user has access to is what the developers want them to?

(I have seen links for swf encryption software, but that is a separate sort of preventative from what I am looking for. I am more interested in learning how to limit my product's exposure to the user than I am actually doing so.)

I only ever did flash without paying Adobe money, just using the compiler and libraries (the only issue I ever had was to ask a game portal to provide their assets in another format for inclusion, since they originally provided an Adobe only one). What I did there was in amongst the startup code I grab the location the SWF was running from, and checked it against a whitelist from the portal, and if it was not running there, prevented the SWF from working.

Of course not completely bulletproof, people can decompile your SWF and work around anything like that, but it stops people casually downloading the file and putting it in a different web page, they need some basic level of flash (programming / actionscript) skill. You can possibly obfuscate flash, but I do not think it would make this harder, since searching for say domain name strings would be a start point, otherwise just look at the games "start point", and follow the code (e.g. if you implemented in such a way the string "mydomain.com" never occurs.

In theory (not ever tried any of the following) if your game includes a server component, then the server can be your protection, and be potentially almost unbreakable.

e.g. say your server fulfills vital roles. In a multi player game it is needed to bring players to together, and possibly run game logic, but in single player it could still be the store for important data like the games levels or used to process things that could have a slight delay (if you have enough processing power on the server).

Also say your server only accepts a TCP connection if the first thing that connection sends is a single use key the server allocated to that IP address. And say the server allocates those when the games real page is loaded, placing it in some HTML/Javascript for the SWF to pull out.

Now you have a game that really needs your server, which is completely proprietary and being on a secure server does not have any code readily available, so will be hard to reverse engineer and replace. And the user needs to visit your webpage or the SWF can't connect to the server.

That seems a lot more difficult to work around, and if someone does break around the connection-key thing, you can make an update to the server and SWF to secure it again.

Thank you for the effort at helping :) These would each prevent someone taking the file and putting it up elsewhere, and obfuscation/encryption Might detur some from redesigning from it.

But I am holding on to hope that someone can help point me in the right direction to learn how to block the download of the file(s) in the first place. I can't really wrap my mind around how you could prevent the user obtaining files that must reach the user's browser in order to be used.. but somehow it is being done every day in pay-services that use flash, social app games, etc.

The SWF runs on the users web browser, if they are running it, then they downloaded it. If you want to stop code ever reaching the user, just stream a video to the user from the server and send inputs back (so the entire game runs on the server). Of course you need the bandwidth and processing power to manage that. And for most games I suspect a server in pretty much every region of the world to keep latency acceptable.

The SWF runs on the users web browser, if they are running it, then they downloaded it.

See this is why I am stumped by this concept.

Take the (no idea how it is popular) game Farmville.

It was developed in Flash, and supposedly using Adobe's products.

There is a stage (the game itself) and movie clips played on it (the characters and animals and whatnot) - but at no time is there a delivery of the flash itself (other than the clips) to the client.

I suppose one could (never played it to try) capture the individual animations, if they really wanted a little farmer taking a step or a sheep eating grass or something. But the internal composition, the actionscript behind the input/output, the variables, the arguments, the conditions, the placement and selection of clips.. is all handled Off-Stage somehow.

I have dug into the official documentation and found nothing relating to this, nor have I been able to find anything unofficial.. thus my question here.

-- Java is so much simpler.. heck C++ is simpler!

Well I have no idea how they did it. Where did you get that info?

Like I said if the flash player executes / displays it, the flash player needs to have downloaded that code / assets (there is a little bit of cleverness there so that code can execute if it does not depend on any content that is not yet downloaded giving you the progress bars, but at a guess that works by the flash compiler putting that stuff at the start of the file so it is downloaded first).

Once the SWF is running, you can also load other SWF's with more code and assets (http://helpx.adobe.com/flash/kb/load-external-swf-swf.html), but of course again technically the SWF here is downloading that other SWF to the client. A little harder to break since it might not be immediately obvious that this other SWF exists, but quickly monitoring network traffic would reveal it, or looking at the decompiled code. And you would still need to protect your server against handing off these additional SWF's to a hacked/moved main SWF.

The only way around this is like I said with a server, and run at least a large portion of the game on the server. It could just send pre-rendered frames back to the client (so basically a video), and the client sends it the mouse/keyboard events.

Well I have no idea how they did it. Where did you get that info

Mainly from the interview with Joshua Morgan at the app dev center.
But also by the various articles about the game - usually more about its popularity but they all make the point that it is a flash application.

I had considered LoadMovie but that happens from the user's end, so it doesn't explain it.

I should probably give it up as a mystery I wont' solve, but the more difficult it is for me to figure something out, the more determined I am to do so.