Video Screencast Help
Security Response

Running on AIR

Created: 25 Feb 2008 08:00:00 GMT • Updated: 23 Jan 2014 18:42:06 GMT
Hon Lau's picture
0 0 Votes
Login to vote

Today, Adobe officially launched their newinfrastructure for delivering rich Internet applications to yourdesktop- Adobe Integrated Runtime, or "AIR" for short. At first glance,Adobe AIR looks like a mash up of many of the existing Web and Adobetechnologies such as HTML, AJAX, ActionScript, Flash, and Flex. Bycombining rich media and user interface features, and leveraging theexisting expertise in these technologies, Adobe hopes to bring highlyinteractive and engaging Web applications to the desktop.

Technologies provided by Adobe, such as Flash, enable a multimediadeveloper to easily create fantastic-looking and engaging applicationsand deploy them across various platforms by operating within a browserenvironment. Adobe AIR takes it a step further by liberating thesetechnologies and placing them within their own desktop-basedenvironment in a similar fashion to Java or .NET. Using this approach,it can achieve a number of aims:

• Impose its own security restrictions upon the applications that operate within it.
• Offer rich and highly engaging content by using existing technologies.
• Package Web technologies within a desktop operating environment, with or without the browser.
• Operating system independence.

AIR offers a powerful set of APIs that enables an application toaccess parts of the host computer. For example AIR allows you to writeand manipulate files on the file system. When you combine its filesystem capabilities with the ability to make remote networking requeststo download content you can quite easily see the potential for danger.For example, it is quite possible for somebody to write a maliciousapplication to run in Adobe AIR, downloading code remotely or engagingin other nefarious activities, such as denial of service attacks orstealing information.

Given the power available in AIR to enable potential misuse, Adobehas taken steps to address such security implications. AIR applicationsmay employ a number of sandboxes in which to operate, like a trustedand untrusted zones. Application code running in the trusted zone willhave full and direct access to the AIR APIs, while untrusted contentwill not. Of course people will inevitably find ways around this andmalware creators will no doubt attempt to exploit them.

Another aspect of the Adobe AIR security model is the concept ofapplication signing. While this can help to provide some security itdoes not really go far enough to prevent many of the security issuesthat we see today. According to Adobe, self-signed applications will beflagged prominentlybefore the application is installed. The problem with this type ofsecurity is that many end users often don't really care or know enoughabout security issues to take heed of the warnings. In many cases, theuser is the weakest link, susceptible to con tricks and socialengineering. Often users are easily tempted by social engineeringtricks such as the latest news, sex, drugs, etc. and end up runningsomething even if they are not sure who created the application.

The introduction of Adobe AIR has no doubt opened up a new wave ofpossibilities for the development of exciting and engagingnetwork-aware desktop applications. But with its powerful capabilitiesand reliance on one of the weakest forms of security (i.e. the averagecomputer user), if AIR becomes ubiquitous we can surely expect to seemalicious code authors targeting it.