Adobe’s Paul Robertson has a thoughtful response to my complaint about AIR security. The point I made is that any AIR application has the same access to the file system as the user. This includes local SQLite databases as well as other documents. Robertson’s response:
In order for a user to access an AIR application, he or she must first choose to install the application, including going through a security dialog that will describe whether the application was signed with a security certificate. In this way, an AIR application is comparable to any other desktop application, such as one written in C++. Since any C++ application could theoretically include the SQLite library, installing an AIR application is no different from installing any C++ application in the sense that, by doing so, a user opens himself up to possible abuses and security risks.
The security risks of desktop apps are well-known, and that’s why users have learned to be cautious about installing them. A possible concern though is that Adobe wants to make installing AIR applications really easy. Here’s the description in the docs for seamless install:
The seamless install feature lets you provide a link in a web page that lets the user install an AIR application by simply clicking the link. If the AIR runtime is not installed, the user is given the option to install it. The seamless install feature also lets users install the AIR application without downloading the AIR file to their machine.
I’ve seen how much kids love playing Flash games on the Web. Some of these games would be a natural fit for AIR: play the game from a desktop shortcut, option to save your game locally, no browser baggage. What if a lot of these games turn into AIR apps? Suddenly, instead of online Flash games being relatively safe, they become relatively risky. If users become complacent about passing the AIR install dialog, then all the bad guy needs to do is to create a whizzy game that does a background search of your computer looking for online banking passwords.
The risks will be mitigated if Adobe restricts AIR to signed applications. That’s not the case with the beta:
A further point is that despite the scary dialog, AIR apps are actually tightly locked down from a developer perspective, with no access to native code such as the operating system API, scripts, or native dynamic libraries. While that’s good in one way, it’s arguably the worst of both worlds: not secure (because of full file system access), and not extensible either.
The appearance of the words “System Access: UNRESTRICTED” in the above dialog suggests that Adobe has or is planning a richer security model. If the default were no file I/O, or file I/O isolated to the source domain of the AIR application, that would help considerably. Add compulsory application signing and it would look better still.
I’ll add that I’m most impressed with Paul Robertson’s willingness to enter into this dialog. I wish other software vendors were equally responsive. AIR is in beta so there’s time to fix problems.