It was my pleasure this week to co-present a session this week with Peleus from the Product Security Team. We discussed things developers should know and do to maintain security in their AIR applications.
Users grant AIR applications a lot of privilege, so developers naturally want to use that power wisely and write applications that are difficult for attackers to abuse. The talk was similar to the talk I gave on the onAIR Europe tour, but longer and more technical.
The slides are
available in PDF and are viewable below thanks to the magic of Share.
Comments
Thx, that’s pretty usefull!
Hi Ethan,
Thanks a lot of your complete and well-written presentation on security in Adobe AIR.
I am facing a problem though, while I am creating an AIR application accessing Flickr and Amazon S3 APIs.
How can I store my secret keys to access those services?
1. If I include the key in the source code, it can be decompiled
2. If I encrypt the keys and package them with the .air app, I should use some robust algorithm like AES-256, but then again I would have the problem of including in the source code also the AES key to decrypt the API keys
3. If I store the API keys on a remote web server that I control, I would not know how to control the only my AIR app can download them.
How would you approach this particular problem?
Thanks,
Andrea