I'm building a Flex app that will run publicly, and so I would like to protect the SWFs from reverse engineers as much as possible.
I once heard of ways to deny browsers direct access to the SWF files, yet allowing it to play within the main HTML page. I would like to know any such practices (and how to employ them) that can be used to harden a public webapp built in Flex.
You can't protected the SWF from being downloaded. The browser has to be able to download the swf to run it. There are some things you can to do make it very slightly more secure like have a simple swf that then loads a second swf, possibly after some challenge/response test, but in the end, the swf you need to run always has to get downloaded to the client.
The best you can do is use an obfuscator.
amayeta swfencrypt - http://www.amayeta.com/software/swfencrypt/
secureSWF http://www.kindisoft.com/secureSWF/download.php
irrFuscator ActionScript 3 Obfuscator http://www.ambiera.com/irrfuscator/
But even with obfuscation, the code can be decompiled.
http://www.asvguy.com/2007/02/swf_encrypt_swc.html
So bottom line, if the code is doing something really sensitive, do it on the server.