The AIR runtime can be looked upon as one that mashes up Web and Desktop Worlds. It allows Web developers to now write applications for the desktop using familiar technologies like Flash, Flex, HTML & JS. There has been a lot of debate lately on what security holes these would expose and how attackers can exploit them and how we as common folk can guard against it.
This warrants a look at the AIR Security model and the hooks that the platform provides to guard yourself (a user) against attackers…
But, before I go forward I cannot but stress one fact
As a user, consider AIR apps as Desktop applications (because that is what they are) and ensure as much care while installing them as you would when you insall “any other desktop application”. DO NOT consider them like websites because you are now giving the app direct access to your system (again… Just like “any other desktop application”). Further, quoting the AIR1.0 Security Whitepaper:
“In general, users should not install any desktop application (including an AIR application) that comes from a source that they do not trust, or that cannot be verified. The burden of proof on security for native applications is equally true for AIR applications as it is for other installable applications.”
The first point of security as far as users are considered is provided as early as the installation process. When the developer exports the .air installer, he has to “mandatorily” sign the application with a security certificate. These certificates helps you to verify the identity of the company/developer who is providing the application to you. This certificate may be of two types:
- A certificate from a trusted Certification Authority like Verisign or Thawte
- A self-signed certificate
In both these cases, the installer window thrown to the user is different, as below. The first screenshot is of an app from AOL (AOL Top 100 Videos AIR App) which is signed while the second app is signed by a self-signed certificate.
AIR App signed using a certificate from an Certification Authority
AIR App signed using a self-signed certificate
The user has to read these carefully and decide if to install the application or not. An additional note from the security whitepaper:
If an AIR file is signed with a certificate that does not chain to one of the trusted root certificates (and normally this includes all self-signed certificates), then the publisher information cannot be verified. While AIR can determine that the AIR file has not been altered since it was signed, there is no way to verify who actually created and signed the file.
To further make things secure, AIR imposes a restriction that all updates to the application should also be signed with the same certificate that was used to sign the first version of the app.
AIR Registry Policies
In addition to keeping the user in mind, AIR also allows the administrator of the machine to put in policies which can for example prevent the users of the machine from installing any unsigned applications. On Windows, administrators can configure a machine to prevent (or allow) AIR application installation and runtime updates.
These settings are contained in the Windows registry under the following key: HKLM\Software\Policies\Adobe\AIR (create it if it is not there).The key can have the following DWORDS whose value can be either 0 or 1 (0 means NO and 1 means YES 🙂 ) :
AppInstallDisabled, UntrustedAppInstallDisabled and UpdateDisabled
Say if UntrustedAppInstallDisabled is set to 1, when a user tries to install a unsigned app the following window is thrown.
Even if installation of AIR applications is allowed, the following restrictions are always observed:
- On Mac OS, to install or update an application, the user needs to have adequate system privileges to install to the application directory.
- On Windows, a user needs to have administrative privileges…
Hope this puts to rest, the whole debate of security for AIR Apps from the user perspective… To know more on AIR Security, you can refer the following articles:
- Introducing the Adobe AIR security model
- Digitally signing Adobe AIR applications
- Adobe AIR 1.0 Security Whitepaper
- Security Best Practices for AIR developers