MAX Session: Maintain Security With Adobe AIR

It was my pleasure this week to co-present a session this week with Peleus from the Product Security Team. We discussed things developers should know and do to maintain security in their AIR applications.

Users grant AIR applications a lot of privilege, so developers naturally want to use that power wisely and write applications that are difficult for attackers to abuse. The talk was similar to the talk I gave on the onAIR Europe tour, but longer and more technical.

The slides are
available in PDF
and are viewable below thanks to the magic of Share.

2 Responses to MAX Session: Maintain Security With Adobe AIR

  1. Kamela says:

    Thx, that’s pretty usefull!

  2. Andrea says:

    Hi Ethan,

    Thanks a lot of your complete and well-written presentation on security in Adobe AIR.

    I am facing a problem though, while I am creating an AIR application accessing Flickr and Amazon S3 APIs.

    How can I store my secret keys to access those services?

    1. If I include the key in the source code, it can be decompiled
    2. If I encrypt the keys and package them with the .air app, I should use some robust algorithm like AES-256, but then again I would have the problem of including in the source code also the AES key to decrypt the API keys
    3. If I store the API keys on a remote web server that I control, I would not know how to control the only my AIR app can download them.

    How would you approach this particular problem?

    Thanks,
    Andrea