Category:OWASP AIR Security Project

Overview
OWASP's AIR Security Project is an open project for sharing a knowledge base in order to raise awareness around the subject of AIR application security.

What is AIR? Adobe AIR is a platform for building desktop applications. Unlike other RIA technologies, AIR does not run within or extend the web browser. Since AIR is a platform that allows developers to create fully privileged desktop applications, AIR requires that all applications be digitally signed. AIR supports digitally signing the application with both self-signed certificates as well as those verified by a trusted CA. The install experience for installing the application is similar to the Microsoft experience for installing an executable. If the application is signed by a trusted CA, then the end-user will receive a dialog showing the author's information from the certificate. If the application is self-signed, the user will receiving a warning and no information from the certificate will be shown. AIR requires administrative privileges on the OS to install the application. Once the application is installed, the application will run with the privileges of the user who starts the application. Applications are registered with the OS so that the add/remove functionality of the OS can be used to install or uninstall the application.

AIR allows developer to create their applications through ActionScript, HTML, JavaScript or a combination of those technologies. AIR contains two security sandboxes for separating privilege within the application. The application sandbox is the fully privileged sandbox that provides the APIs for desktop interaction. Certain restrictions exist within this sandbox to drive developers towards secure programming practices. There is also a non-application sandbox for loading untrusted content from the web. Content loaded within the non-application sandbox will execute with traditional web browser sandbox permissions. Developers can choose to expose functionality from the application sandbox to the non-application sandbox through the use of a sandbox bridge. This must be done manually by the developer and the developer explicitly chooses the variables or functions that are exposed.

To install an application, AIR provides it's own download manager and install dialogues in order to provide a consistent cross-browser experience. The download and install of the application can be launched from a SWF badge that is hosted on the website. The SWF merely calls an API to tell the AIR runtime start the download process and provides the URL of the application to be downloaded. The end-user will be provided with an Open/Save dialogue. The Open button will lead the user to the certificate verification dialog and the following application install choices such as install location. AIR also allows the developer to choose to make their application available to be launched from the browser. By default, AIR applications can not be launched from the web browser. Typically, desktop applications would register a custom protocol with the browser to allow their application to be launched from the browser. These have lead to several security issues in the past. To solve this, AIR instead allows a SWF hosted on the website to launch the application. The SWF can call the AIR application and provide arguments within the call through a formally defined API.

Goals
The OWASP AIR Security Project aims is to produce guidelines, references and tools around AIR Application Security.

Articles
[1] Introduction to the AIR Security Model An Adobe blog introducing the AIR security model at a high level.

[2] Digitally Signing Adobe AIR Applications An Adobe Developer Center article on how to sign and test AIR applications.

[3] Managing Adobe AIR updates with ColdFusion 8 An Adobe Developer Center article on how to push out updates to AIR applications.

[4] Remote Plugins and Modules in AIR An Adobe blog entry on how to load remote modules in AIR applications.

[5] Code Signing in Adobe AIR An in depth, Dr. Dobb's Journal article on code signing in Adobe AIR.

[6] Creating and validating XML signatures An Adobe Developer Center article on leveraging the XMLSignatureValidator API in Adobe AIR.

[7] Building AIR applications that can be easily updated An Adobe Developer Center article by David Daraedt on leveraging AIR's auto-update capabilities.

[8] Using the Adobe AIR update framework A Flex quick start guide to the AIR Update framework.

White Papers
[1] Adobe AIR 1.0 Security pdf, Adobe.

Presentations
[1] Maintaining Security With Adobe AIR [ppt] [video] The session on AIR security presented at MAX 2008 by Ethan Malasky and Peleus Uhley.

[2] Designing Secure AIR Applications [video] A video recording of Adobe's Ethan Malasky presenting on AIR Security.

Useful Frameworks
Adobe AIR Update Framework A beta framework for including good update capabilities within your application.

Useful Specifications
AVM2 Specification Describes the Flash ActionScript Virtual Machine used for ActionScript 3.0 code.

AMF3 Specification The specification for version 3 of AMF used by Flash Player.

AMF0 Specification The specification for the first generation of AMF (AMF 0) used by Flash Player.

RTMP Specification This is the specification for the Real Time Messaging Protocol used by SWF content

FLV/F4V Specification The FLV/F4V open specification documents the file formats for storing media content used to deliver streaming audio and video for playback in Adobe® Flash® Player and Adobe AIR™ software.

Cross-domain policy file specification This document serves as a reference for the structure and use of cross-domain policy files.

Related Projects
OWASP Flash Security Project