Security: Achievement and score API in AS3

Question

Over the years I've become an uber-nerd when it comes to flash game development. Now I'm thinking about looking into using my skills for helping other game-developers out there.

I want to develop an API in AS3 which will allow the developer to do (as a start) the following:

1. Display a dialogue which lets the user log into their "account" (hosted on my site).
2. Send a score/value to the website and attribute it to the logged in user.
3. Unlock an achievement (achievements will be set up by the developer in the web interface - which is where they will also get a key of some type to use with their API.
4. Display high scores, other players profiles in-game, etc (show basically any stats in-game).

All easy enough to develop straight off the bat. However; where it becomes frustrating is security. I'm not expecting an indestructible solution that I'm fully aware isn't possible, but what would be the most defensive way to approach this?

Here are the issues that I can think up on the spot:

1. The big one - people stealing the API key via man-in-the-middle attack.
2. Highscore injection, false achievement unlocks.
3. Decompiling the SWF and stealing the API key.
4. Using the API key to create a dummy flash application and send random data like highscores.
5. Altering the API itself so you don't need to be logged in, etc.

One thought I've had was converting my API to a component so there's no access to the code (unless you decompile). The problem here is it's just not friendly to the developers, though it would allow me to create my own graphics for the UI (rather than coding many, many sprites).

Private/public keys won't work unless there is very good protection against decompiling.

I'm beginning to wonder if this idea is a dead end.

Any advice on securing this (or parts of it) would be great.

Answer 1

Look at this thread first if you haven't done so already: What is the best way to stop people hacking the PHP-based highscore table of a Flash game