I'm building a social media app in Flash (AS3) that is tightly integrated with Facebook--all user accounts are handled via Facebook connect, and all Facebook connectivity is handled via a combination of the Javascript and AS3 Facebook APIs. I'm using Codeigniter on the backend for server-side data management, which includes tracking user actions and data on the site through URLRequests from Flash.
My problem is that I don't know how to prevent spoofing of the server requests that are made from Flash; in theory, malicious users could track the calls that Flash is making to my server and reproduce them in a way that (for example) inserts garbage data and associates it with a given Facebook user ID in my database. All authentication is taking place on the client side (via the Facebook JS API) with no intervention by the server, so I'm having a hard time figuring out exactly how to secure calls between Flash and the server in a manner that ensures that users have to be authenticated with Facebook in order to make them.
One possibility I considered is using an encryption scheme known by the client and server to pass Facebook UIDs back and forth, which would certainly be better than passing them in the clear. However, it would only take one enterprising hacker with enough time/patience to break the scheme (or decompile the swf) to screw everything up.
Anyway, I may be overthinking this, but it seems like an important point and I'm really not sure of the best approach. Any feedback would be greatly appreciated!