Category:OWASP AIR Security Project
OWASP's AIR Security Project is an open project for sharing a knowledge base in order to raise awareness around the subject of AIR application security.
What is AIR?
Adobe AIR is a platform for building desktop applications. Unlike other RIA technologies, AIR does not run within or extend the web browser. Since AIR is a platform that allows developers to create fully privileged desktop applications, AIR requires that all applications be digitally signed. AIR supports digitally signing the application with both self-signed certificates as well as those verified by a trusted CA. The install experience for installing the application is similar to the Microsoft experience for installing an executable. If the application is signed by a trusted CA, then the end-user will receive a dialog showing the author's information from the certificate. If the application is self-signed, the user will receiving a warning and no information from the certificate will be shown. AIR requires administrative privileges on the OS to install the application. Once the application is installed, the application will run with the privileges of the user who starts the application. Applications are registered with the OS so that the add/remove functionality of the OS can be used to install or uninstall the application.
To install an application, AIR provides it's own download manager and install dialogues in order to provide a consistent cross-browser experience. The download and install of the application can be launched from a SWF badge that is hosted on the website. The SWF merely calls an API to tell the AIR runtime start the download process and provides the URL of the application to be downloaded. The end-user will be provided with an Open/Save dialogue. The Open button will lead the user to the certificate verification dialog and the following application install choices such as install location. AIR also allows the developer to choose to make their application available to be launched from the browser. By default, AIR applications can not be launched from the web browser. Typically, desktop applications would register a custom protocol with the browser to allow their application to be launched from the browser. These have lead to several security issues in the past. To solve this, AIR instead allows a SWF hosted on the website to launch the application. The SWF can call the AIR application and provide arguments within the call through a formally defined API.
The OWASP AIR Security Project aims is to produce guidelines, references and tools around AIR Application Security.
Overviews Introduction to the AIR Security Model An Adobe blog introducing the AIR security model at a high level.
Digitally Signing Adobe AIR Applications An Adobe Developer Center article on how to sign and test AIR applications.
Code Signing in Adobe AIR An in depth, Dr. Dobb's Journal article on code signing in Adobe AIR.
Managing Adobe AIR updates with ColdFusion 8 An Adobe Developer Center article on how to push out updates to AIR applications.
Building AIR applications that can be easily updated An Adobe Developer Center article by David Daraedt on leveraging AIR's auto-update capabilities.
Using the Adobe AIR update framework A Flex quick start guide to the AIR Update framework.
Remote Plugins and Modules in AIR An Adobe blog entry on how to load remote modules in AIR applications.
Storing encrypted data Adobe's developer documentation regarding secure storage options.
[http://livedocs.adobe.com/flex/3/langref/index.html?flash/data/EncryptedLocalStore.html&flash/data/class-list.html EncryptedLocalStore class" The AIR documentation reference for the Encrypted Local Store class.
Using encryption with SQL databases Adobe's developer documentation on encrypting SQL databases.
Using the EncryptionKeyGenerator class to obtain a secure encryption key Adobe's developer documentation on generating keys.
Creating and validating XML signatures An Adobe Developer Center article on leveraging the XMLSignatureValidator API in Adobe AIR.
Considerations for using encryption with a database Adobe AIR documentation on SQL database encryption options.
Using parameters in statements Adobe AIR documentation on using parametrized queries.
SQLStatement.parameters property Property reference from the Adobe AIR documentation.
 Adobe AIR 1.0 Security pdf, Adobe.
 Designing Secure AIR Applications [video] A video recording of Adobe's Ethan Malasky presenting on AIR Security.
Adobe AIR Update Framework A beta framework for including good update capabilities within your application.
 AIR 1.5 Security The Adobe AIR 1.5 security white paper.
 AIR Security with Flex This section of the Developing Adobe® AIR™ Applications with HTML and Ajax manual covers security topics such as best practices for developers, AIR sandboxes and Flex security.
 AIR Security with HTML This section of the Developing Adobe® AIR™ Applications with HTML and Ajax manual covers security topics such as best practices for developers, AIR sandboxes, and HTML security.
 Adobe Security Bulletins and Advisories This is where Adobe posts all of their security advisories and bulletins.
 AIR for IT Administrators This is the Adobe documentation geared towards IT administrators who deploy AIR throughout their desktop environments.
AVM2 Specification Describes the Flash ActionScript Virtual Machine used for ActionScript 3.0 code.
AMF3 Specification The specification for version 3 of AMF used by Flash Player.
AMF0 Specification The specification for the first generation of AMF (AMF 0) used by Flash Player.
RTMP Specification This is the specification for the Real Time Messaging Protocol used by SWF content
FLV/F4V Specification The FLV/F4V open specification documents the file formats for storing media content used to deliver streaming audio and video for playback in Adobe® Flash® Player and Adobe AIR™ software.
Cross-domain policy file specification This document serves as a reference for the structure and use of cross-domain policy files.
This category currently contains no pages or media.