AIR: tight security for your apps. Pt 1. EncryptedLocalStore

Recently I looked into AIR security, specifically re: storing local data on the user’s machine. I’ve seen storing on the disk, and storing to SQLLite, but neither of these are secure and the data can be accessed by other apps. Fortunately your next resort doesnt have to be writing your own encryption algorithim, because we have the EncryptedLocalStore class (flash.data.*)

From Adobe livedocs:
A persistent encrypted local store is available for each AIR application installed on a user’s computer. This lets you save and retrieve data that is stored on the user’s local hard drive in an encrypted format that cannot be deciphered by other applications or users. A separate encrypted local store is used for each AIR application, and each AIR application uses a separate encrypted local store for each user. Encrypted local store data is put in a subdirectory of the user’s application data directory; the subdirectory path is Adobe/AIR/ELS/ followed by the application ID.

Similar to how one would use setProperty() when dealing with shared objects, you can call the static method EncryptedLocalStore.setItem(), passing it a ‘key’ or identifier along with your data, and store up to 10 MB of ByteArray data in the encrypted store. So, using the read/write methods of the ByteArray class, you can store much of your sensitive application data securely. To retrieve the data, call EncryptedLocalStore.getItem() with the appropriate key.

One good thing to note is that it is not by the Application ID that access rights are verified, rather by the signing certificate and publisher ID; to impersonate another application, you’d have to have stolen a signing key or have hacked AIR.

Learn more on LiveDocs: EncryptedLocalStore

ekz