MAX2008: Maintain Security With Adobe AIR

That was the title of the session I did with Peleus Uhley on Wednesday. It’s always fun to talk about security, especially with such an informed audience. Hopefully it was fun for them, too.
It’s taken longer than I’d hoped but the slides are available here as PDF.

UPDATE 2012/05/28: Updated the link to the PDF, which got busted in blog migration.

4 Responses to MAX2008: Maintain Security With Adobe AIR

  1. RobMcM says:

    Hi Ethan,
    I seem to have hit a brick wall with the security in AIR. I need to download and load in swf modules at runtime, but I want to keep them inside a network AND filesystem restricted sandbox, giving them access to methods via a parentSandboxBridge.
    However it seems the normal method of loading modules only works for modules bundled at compile time, and the only way to load modules in at runtime from outside the AppDirectory is to allowLoadBytesCodeExecution which gives full access.
    Is there any way I can get AIR to let me run downloaded modules in a sandbox?
    Thanks
    Rob

  2. Ethan says:

    Flex 3.2 supports modules that are not imported into the loader’s SecurityDomain. This means that an AIR app can load local untrusted modules from the filesystem without getting SecurityError exceptions.

  3. RobMcM says:

    If I do this using the ModuleManager.getModule( file.url ) where file is an instance of the File class resolved to my Flex swf () I get the following error:
    “SWF is not a loadable module”
    There is an explanation here:
    http://blogs.adobe.com/aharui/2007/03/swf_is_not_a_loadable_module.html
    However as this is coming from a local file:// url I can’t expose a cross domain policy file.
    I also can’t add sandboxe bridges, or security/app domains as it’s not loaded using the Loader class.
    Any more info would be really helpful, any reference to bridges is in HTML. Thanks

  4. a says:

    Flex 3.2 supports modules that are not imported into the loader’s SecurityDomain. This means that an AIR app can load local untrusted modules from the filesystem without getting SecurityError exceptions.