[Owasp-leaders] security concerns about Adobe Air

Peleus Uhley puhley at adobe.com
Tue Apr 6 01:57:38 EDT 2010

	The OWASP AIR Security Project (http://www.owasp.org/index.php/Category:OWASP_AIR_Security_Project) and the OWASP Flash Security Project (http://www.owasp.org/index.php/Category:OWASP_Flash_Security_Project) are useful resources for developers who want to create secure AIR applications. If desktop administrators have questions regarding AIR, Adobe provides resources at: http://www.adobe.com/products/air/it_administrators/.
	With regards to file access, desktop applications based on the AIR runtime follow the same security model as any other desktop application. The application will inherit the privileges of the user who launched it and the application will be able to access any file or resource that the user has permission to access. You are trusting the author of the desktop application not to misuse their privileges which is why all AIR applications must be digitally signed by the author.
	Although, sometimes trustworthy authors make mistakes during development that could allow unauthorized access of local files or resources by untrusted content. To help reduce those types of vulnerabilities, the AIR runtime restricts sensitive APIs and implements secure defaults. As an example, any content that was not contained within the signed install package is considered to be untrusted and it is placed in a restricted sandbox by default. If the developer wants to grant the restricted content additional privileges, then the runtime provides APIs where developers can specifically choose what functionality or data is exposed. Therefore, file access is never granted to remote content by default and the developer can selectively choose what, if any, files or data are exposed.
	Let me know if you have any further questions.


Peleus Uhley
Senior Security Researcher
Adobe Systems, Inc.

-----Original Message-----
From: owasp-leaders-bounces at lists.owasp.org [mailto:owasp-leaders-bounces at lists.owasp.org] On Behalf Of Dale Castle
Sent: Monday, March 22, 2010 11:36 AM
To: owasp-leaders at lists.owasp.org
Subject: [Owasp-leaders] security concerns about Adobe Air

One of my OWASP chapter members was concerned about turning flash into desktop applications with Adobe Air. Is there any secure way to do this or guidance that OWASP provides. There is a University Adobe group that would welcome a speaker (virtual or in person) if anyone would like to present on this. If it's an easy answer, I will pass that along. Thank you.

- Dale

Dale Castle
OWASP Charlottesville Chapter Lead
dale.castle at owasp.org

> From a security perspective, I can tell you that I personally have concerns regarding Adobe's AIR platform. While convenient for Flash/Flex developers to turn their web apps into full-blown client applications, they are taking to installing it on client PC's when users update their Flash client (and/or Acrobat Updates). The difference between the Flash Platform and the AIR platform is that while the Flash platform has only one folder where any kind of caching files can be stored (see StoredObjects), the AIR platform allows an application to write and access anything on a user's computer, including hardware. While this is quite convenient and full-featured, the security risks this poses is too great for me here in HR to permit AIR to remain installed on user's computers.
> While Adobe may have tightened their security on that since I last investigated it, I remain cautious until proven otherwise. I generally recommend folks stick with their Flash platform rather than diversifying into the AIR platform. It's not that I don't see a niche for it. I do see it as a wonderful platform for internal apps, but not for the WWW. It's just . . . me, perhaps.
OWASP-Leaders mailing list
OWASP-Leaders at lists.owasp.org

More information about the OWASP-Leaders mailing list