Category:OWASP AIR Security Project

Overview
OWASP's AIR Security Project is an open project for sharing a knowledge base in order to raise awareness around the subject of AIR application security.

What is AIR? The Adobe AIR runtime allows developers to build cross-platform desktop applications. AIR allows developers to create their applications through ActionScript, HTML, JavaScript or a combination of those languages. While developers can use web languages for the purposes of creating code, AIR applications are standalone desktop applications with no relationship to the end-user's web browser.

AIR requires that all applications be digitally signed so that end-users can verify the author application. AIR supports digitally signing the application with both self-signed certificates as well as those verified by a trusted CA. The install experience for installing the application is similar to the Microsoft experience for installing an executable. If the application is signed by a trusted CA, then the end-user will receive a dialog showing the author's information from the certificate. If the application is self-signed, the user will receiving a warning and no information from the certificate will be shown. AIR requires administrative privileges on the OS to install the application. Once the application is installed, the application will run with the privileges of the user who starts the application. Applications are registered with the OS so that the add/remove functionality of the OS can be used to install or uninstall the application.

To install an application, AIR provides it's own download manager and install dialogues in order to provide a consistent cross-platform experience. The download and install of the application can be launched from a SWF badge that is hosted on the website. The SWF merely calls an API to tell the AIR runtime start the download process and provides the URL of the application to be downloaded. The end-user will be provided with an Open/Save/Cancel dialogue. The Open button will lead the user to the certificate verification dialog and the following application install choices such as install location. AIR also allows the developer to choose to make their application available to be launched from the browser.

By default, AIR applications can not be launched from the web browser but it is possible. Typically, applications that wanted to be launched from the web browser would register a scheme with the OS. However, custom schemes have lead to several security issues. To solve this, AIR instead allows a SWF hosted on the website to launch the application. The SWF can call the AIR application and provide arguments within the call through a formally defined API within ActionScript.

AIR contains two security sandboxes for separating privilege within the application. The application sandbox is the fully privileged sandbox that provides the APIs for desktop interaction. Certain restrictions exist within this sandbox to drive developers towards secure programming practices. There is also a non-application sandbox for loading untrusted content from the web. Content loaded within the non-application sandbox will execute with traditional web browser sandbox permissions. Developers can choose to expose functionality from the application sandbox to the non-application sandbox through the use of a sandbox bridge. This must be done manually by the developer and the developer explicitly chooses the variables or functions that are exposed.

Goals
The OWASP AIR Security Project aims is to produce guidelines, references and tools around AIR Application Security.

Articles
Overviews

Introduction to the AIR Security Model An Adobe blog introducing the AIR security model at a high level.

Signing code

Digitally Signing Adobe AIR Applications An Adobe Developer Center article on how to sign and test AIR applications.

Code Signing in Adobe AIR An in depth, Dr. Dobb's Journal article on code signing in Adobe AIR.

Updating

Managing Adobe AIR updates with ColdFusion 8 An Adobe Developer Center article on how to push out updates to AIR applications.

Building AIR applications that can be easily updated An Adobe Developer Center article by David Daraedt on leveraging AIR's auto-update capabilities.

Using the Adobe AIR update framework A Flex quick start guide to the AIR Update framework.

Remote Plugins and Modules in AIR An Adobe blog entry on how to load remote modules in AIR applications.

Cryptography

Storing encrypted data Adobe's developer documentation regarding secure storage options.

EncryptedLocalStore class The AIR documentation reference for the Encrypted Local Store class.

Using encryption with SQL databases Adobe's developer documentation on encrypting SQL databases.

Using the EncryptionKeyGenerator class to obtain a secure encryption key Adobe's developer documentation on generating keys.

Creating and validating XML signatures An Adobe Developer Center article on leveraging the XMLSignatureValidator API in Adobe AIR.

Considerations for using encryption with a database Adobe AIR documentation on SQL database encryption options.

SQL Injection

Using parameters in statements Adobe AIR documentation on using parametrized queries.

SQLStatement.parameters property Property reference from the Adobe AIR documentation.

Presentations
[1] Maintaining Security With Adobe AIR [ppt] [video] The session on AIR security presented at MAX 2008 by Ethan Malasky and Peleus Uhley.

[2] Designing Secure AIR Applications [video] A video recording of Adobe's Ethan Malasky presenting on AIR Security.

[3] Adobe AIR Data Privacy and Security [zip] A May 20, 2009 presentation from the 360|Flex conference in Indianapolis, IN.

Useful Frameworks
Adobe AIR Update Framework A beta framework for including good update capabilities within your application.

Useful Specifications
AVM2 Specification Describes the Flash ActionScript Virtual Machine used for ActionScript 3.0 code.

AMF3 Specification The specification for version 3 of AMF used by Flash Player.

AMF0 Specification The specification for the first generation of AMF (AMF 0) used by Flash Player.

RTMP Specification This is the specification for the Real Time Messaging Protocol used by SWF content

FLV/F4V Specification The FLV/F4V open specification documents the file formats for storing media content used to deliver streaming audio and video for playback in Adobe® Flash® Player and Adobe AIR™ software.

Cross-domain policy file specification This document serves as a reference for the structure and use of cross-domain policy files.

Related Projects
OWASP Flash Security Project