AIR Application Security from the User’s Point of View

The AIR runtime can be looked upon as one that mashes up Web and Desktop Worlds. It allows Web developers to now write applications for the desktop using familiar technologies like Flash, Flex, HTML & JS. There has been a lot of debate lately on what security holes these would expose and how attackers can exploit them and how we as common folk can guard against it.

This warrants a look at the AIR Security model and the hooks that the platform provides to guard yourself (a user) against attackers…

But, before I go forward I cannot but stress one fact

As a user, consider AIR apps as Desktop applications (because that is what they are) and ensure as much care while installing them as you would when you insall “any other desktop application”. DO NOT consider them like websites because you are now giving the app direct access to your system (again… Just like “any other desktop application”). Further, quoting the AIR1.0 Security Whitepaper:

“In general, users should not install any desktop application (including an AIR application) that comes from a source that they do not trust, or that cannot be verified. The burden of proof on security for native applications is equally true for AIR applications as it is for other installable applications.”

Insallation Process

The first point of security as far as users are considered is provided as early as the installation process. When the developer exports the .air installer, he has to “mandatorily” sign the application with a security certificate. These certificates helps you to verify the identity of the company/developer who is providing the application to you. This certificate may be of two types:

  1. A certificate from a trusted Certification Authority like Verisign or Thawte
  2. A self-signed certificate

In both these cases, the installer window thrown to the user is different, as below. The first screenshot is of an app from AOL (AOL Top 100 Videos AIR App) which is signed while the second app is signed by a self-signed certificate.

AIR App signed using a certificate from an Certification Authority

AIR App signed using a self-signed certificate

The user has to read these carefully and decide if to install the application or not. An additional note from the security whitepaper:

If an AIR file is signed with a certificate that does not chain to one of the trusted root certificates (and normally this includes all self-signed certificates), then the publisher information cannot be verified. While AIR can determine that the AIR file has not been altered since it was signed, there is no way to verify who actually created and signed the file.

To further make things secure, AIR imposes a restriction that all updates to the application should also be signed with the same certificate that was used to sign the first version of the app.

AIR Registry Policies

In addition to keeping the user in mind, AIR also allows the administrator of the machine to put in policies which can for example prevent the users of the machine from installing any unsigned applications. On Windows, administrators can configure a machine to prevent (or allow) AIR application installation and runtime updates.

These settings are contained in the Windows registry under the following key: HKLM\Software\Policies\Adobe\AIR (create it if it is not there).The key can have the following DWORDS whose value can be either 0 or 1 (0 means NO and 1 means YES 🙂 ) :

AppInstallDisabled, UntrustedAppInstallDisabled and UpdateDisabled

Say if UntrustedAppInstallDisabled is set to 1, when a user tries to install a unsigned app the following window is thrown.

Even if installation of AIR applications is allowed, the following restrictions are always observed:

  • On Mac OS, to install or update an application, the user needs to have adequate system privileges to install to the application directory.
  • On Windows, a user needs to have administrative privileges…

Hope this puts to rest, the whole debate of security for AIR Apps from the user perspective… To know more on AIR Security, you can refer the following articles:

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s