AIR Application Security from the User’s Point of View

July 29, 2008

The AIR runtime can be looked upon as one that mashes up Web and Desktop Worlds. It allows Web developers to now write applications for the desktop using familiar technologies like Flash, Flex, HTML & JS. There has been a lot of debate lately on what security holes these would expose and how attackers can exploit them and how we as common folk can guard against it.

This warrants a look at the AIR Security model and the hooks that the platform provides to guard yourself (a user) against attackers…

But, before I go forward I cannot but stress one fact

As a user, consider AIR apps as Desktop applications (because that is what they are) and ensure as much care while installing them as you would when you insall “any other desktop application”. DO NOT consider them like websites because you are now giving the app direct access to your system (again… Just like “any other desktop application”). Further, quoting the AIR1.0 Security Whitepaper:

“In general, users should not install any desktop application (including an AIR application) that comes from a source that they do not trust, or that cannot be verified. The burden of proof on security for native applications is equally true for AIR applications as it is for other installable applications.”

Read the rest of this entry »