Ethan Malasky

New TabSample App

Ethan Malasky — Tue, 22 Jun 2010 16:09:05 +0000

The TabSample app I posted three years ago has gone horribly stale.
Here’s a new version, with no additional features other than compiling nicely with the Flex 4 SDK.
TabSample.fxp
Thanks to xbrotherx on the AIR Forum for caring enough to post about it!

Privileged Modules: HOWTO validate signatures

Ethan Malasky — Mon, 15 Dec 2008 09:21:49 +0000

In previous blog posts and presentations, I’ve talked about the need to do signature validation before importing a module into an AIR application. People asked for specifics, but I haven’t managed to figure out all the details and document them well enough for common use.
Luckily, Charles “Joe” Ward has figured it out. Joe’s article on the Developer Center walks us through the steps needed to validate the signature of a resource, and how to sign the resource in the first place using ADT or our own Java code.
Using these techniques, it’s possible to load privileged modules into your AIR app. Download the module files (SWFs, say) along with their signature files. Store them somewhere local (app-storage: is good, app: is bad). Validate that they’re really the modules you developed and signed, then import them (using loadBytes() with allowLoadBytesCodeExecution enabled).
Read “Creating and validating XML signatures”.

MAX2008: Maintain Security With Adobe AIR

Ethan Malasky — Fri, 21 Nov 2008 18:43:19 +0000

That was the title of the session I did with Peleus Uhley on Wednesday. It’s always fun to talk about security, especially with such an informed audience. Hopefully it was fun for them, too.
It’s taken longer than I’d hoped but the slides are available here as PDF.
Or, just check them out below!

Adobe AIR Supports XSLT

Ethan Malasky — Sat, 11 Oct 2008 13:08:18 +0000

The internet is funny. Things get written, then cross-referenced, then indexed by mammoth search engines. Later, when the truth changes, the old postings stay around in various indexes.
So, if you did a search for “Adobe AIR XSLT” via your favorite search engine, you’d be forgiven for thinking that AIR doesn’t yet support client-side XSLT.
But the vast majority of those pages were from August 2007, when AIR was still in Beta. By the time AIR 1.0 launched in 2008, XSLT support was enabled.
So yes: Adobe AIR Supports XSLT!
I’ve only seen one blog post about this truth, by my co-worker Brian Riggs, who works on Adobe Media Player.
Please, read his post, link to it, and link to this one. Together, we can change the search engines!

Slides from my onAIR talk

Ethan Malasky — Mon, 23 Jun 2008 22:50:01 +0000

I’ve gone more in depth into security and injection attacks before. But sometimes, it’s nicer to see everything boiled down into a few slides.
Here, then, are the security slides from my onAIR presentation (PDF). You may see some familiar diagrams…
For more detailed information on how application upgrade really works, check out this trio of posts that Serge Jespers did.

Quick, Cool Links

Ethan Malasky — Tue, 17 Jun 2008 23:18:49 +0000

There’s been a lot going on lately, even without counting a great week with the onAIR tour in Europe. Each of these deserve a full post with captivating details and insider insight. But instead I’m going for partial credit, just getting everything out there.

AIR 1.1

AIR 1.1 went live last night, bringing international and localization support to AIR. This means that users get an application install experience best suited to their language, and developers can craft apps that are similarly localized. Christian and Jeff wrote articles showing how to do just that; check out the AIR Developer Center.

Update Framework

It’s crucial for applications to be able to update themselves. Users expect seamless growth as new functionality is added. Update is also a security safety valve. If an application has a vulnerability, it can update itself to a safe, patched version. Serge Jespers gave a great presentation about update for the onAIR tour.
Now there’s a new Update Framework available on Adobe Labs, making it even easier to do the right thing.

Security Talk

In Warsaw last week, Kevin Hoyt was nice enough to tape my talk on security. Yesterday, he made the audio available on his blog.
I can’t say enough about how educational and fun the onAIR tour was. The attendees’ engagement and expertise was really humbling. Developers are digging deep into AIR and pushing it to the limit, while suggesting great improvements to make development more and more elegant. The evangelists are always great to talk to, and are even greater to travel with.

AIR Cookbook

I just learned about the AIR Cookbook on the developer center. This is a great place for people to share the “recipes” they’ve created for working with AIR. After seeing some excellent techniques in action the other week, I’m sure the cookbook will become a valuable tool for developers of all levels. Delicious!!

One week with the onAIR Tour in Europe

Ethan Malasky — Thu, 29 May 2008 00:10:07 +0000

I’m posting this from the beautiful city of Stockholm, Sweden. This week I’ll be traveling with Mike Chambers, Ryan Stewart and the rest of the onAIR crew.
My presentation is an introduction to building security applications in AIR. The first leg of the tour is sold out, and I’m totally excited to be presenting to a full house. If you’re coming to the events in Stockholm, Berlin, or Warsaw, say hi. I want to use this opportunity outside my cube to meet the developers who give meaning to the platform.

Remote Plugins and Modules in AIR

Ethan Malasky — Mon, 14 Apr 2008 00:53:37 +0000

I’ve been getting a lot of questions about how to use remote “modules” in AIR. “Modules” is in quotes because it can mean different things. In every case, it refers to running some SWF or HTML/JS content that is loaded at runtime from the network. The difference are in how the content is loaded and how an application can communicate with it.
Depending on the specifics of the modules you want to load there are different options about how to load and communicate with the content. Let’s explore the options!!

In web browsers, we run remote content all the time, and don’t have to worry about security. Images and pages from other domains can execute their own code, but can’t reach into ours. We can also choose to pull someone else’s code into our own and run it. Dynamic evaluation of Javascript is a powerful tool, and it can be elegantly used. SWF has the same security model: remote content (images, audio, video, SWF) can run without accessing our code, and we can choose to import remote code and content (loadBytes()).
Privileged local applications have a responsibility to protect their users. No one wants their app to have flaws that expose their users’ data or computers to attackers. AIR has strict but simple standards about which content (SWF, JS) can get application privileges. Only the files in the application’s security sandbox may use the local File APIs, Windowing APIs, etc. Files will be in this sandbox only if they are loaded from the application’s local directory via an app: URI, or are imported into that sandbox using explicit APIs.

Separate Sandboxes

If you don’t trust the content, or don’t want to verify that it really is trusted, you can keep it at arm’s length. This is the default; remote content is loaded in a remote sandbox according to its domain. One difference in AIR is key: Communication is possible across sandboxes at runtime. Using the SandboxBridge API in AIR, content can expose a discoverable API to content across the border. Any data passed is copied to its destination. Complex data structures can be passed across the (deep-copy, without functions and custom class information).
This feels more like service-style communication. Loading a file is like getting a service endpoint. Your code’s integrity is protected by the loose coupling, but the service also has a bit of code that it gets to run in your client. Google Gears’s WorkerPool has a similar style, with message passing between threads that run in their own sandboxes. The big difference is that SandboxBridge messages are synchronous, and look like function calls and property gets.
SandboxBridges can be used at frame/iframe borders and at the LoaderInfo that is shared by parent and child when using Loader. Each side can expose APIs to the other. But it’s essential to resist the urge to bust the whole thing wide open. Don’t think it’s cute to just expose every AIR API to unprivileged content. Instead, expose high-level APIs that, when abused, will damage only your application, not the user’s whole system. A writeFile(file, data) API is just an invitation for attack. By contrast, savePreferences(data) will make your app less vulnerable to malicious content.

Importing

If you do trust the content, and want it to be able to share your runtime data, share your type definitions and execute in your space, you can import it into the application’s sandbox. This content will have full privilege. I can’t overstate this enough: content you import this way can completely take control of your application. And once it has control of your application, it can start doing evil things to the local machine. It can do anything your app can do.
So, why even bother with such a dangerous technique? Well, in some cases it really is what you want. If you’re trying to reduce the download size of your app, you can wait until you need some functionality before downloading it. Flex Modules, for instance, require that they be imported into the loader’s sandbox. The same technique works for localization data.
So to pull this content in safely, you need to prove that you can trust it. Given the ease of remote attacks (DNS hacks; man-in-the-middle attacks; owning up the “trusted” server; etc), imported modules must be signed, and the signature must be verified before loading the content.

First, sign your modules. I’m pretty sure you can just use adt for this, then rip the signatures.xml out of META-INF. Then post the modules and signatures.xml
When you download the modules, save them and signatures.xml somewhere in app-storage:/
Use the XMLSignatureValidator class to validate that you downloaded modules that really were signed by you (or some known entity).
Import the modules into your application sandbox. For SWF, use Loader.loadBytes(), pass a LoaderContext with allowLoadBytesCodeExecution=true. I doubt anyone will do *that* by accident.

In AIR 1.0, this is the best way to use Flex modules without taking dangerous risks. I expect there will be other techniques in future versions.
Import this way is not going to work for arbitrary third-party content. If you don’t know ahead of time who you trust to have signed it, you must not import it. Once again, we come back to The Spiderman Axiom: with great power comes great responsibility.
Blah. That’s way too long. But at least I have someplace to point people to when they ask!
Comments? Concise summaries?

AIR for Linux — users and developers

Ethan Malasky — Sun, 30 Mar 2008 21:30:57 +0000

Two big announcements on the Adobe + Linux front today. A public alpha of AIR and a new rev of Flex Builder.
For years I’ve been toying with the theory that Linux hasn’t caught on in the consumer desktop space because the apps users expect to run don’t run there. And the apps don’t run there because developers need to learn different styles to develop Linux apps. There’s different distros and packaging requirements, wide variance in window managers, etc, etc.
Sure, the rise of Wine kind of undermines the whole theory. But it adds an extra wrinkle: virtualized apps are cool, but a little bit weird. I’m hooked on virtualized OSes for daily life, but I still feel like they’re not really playing well with others.
Anyway, the ability to develop Linux apps using AIR is a big step. Developers can write these apps on any OS. And just as cool, developers who love what Linux offers for their own work productivity can create AIR apps that run on Mac and Win as well. Same .air file, any OS.
So try out the Linux tools and file some bugs!! It’s the best way to get quality where we all want it to be.

European Vacation

Ethan Malasky — Tue, 11 Mar 2008 19:30:52 +0000

This is going to be fun. Hot on the heels of shipping AIR 1.0, I’ve been given approval to join some excitable evangelists and other eloquent luminaries on the AIR Tour in Europe.
For one week in June, I’ll join the tour, presenting in Stockholm, Berlin and Warsaw. It’s always a blast to meet the developers who are pushing the envelope of rich apps. And it’ll be especially fun meeting them in parts of the world that are entirely new to me. From this desk, it’s sometime hard to feel the true scale of a global community.
I just need to find someone to keep an eye on my cube….