AIR’s Unrestricted System Access Warning

[Update 2009-07-30: This dialog has been revised for AIR 1.5.2.]

If you’ve ever installed an Adobe AIR-based application–you have installed one, right?–then you’ve probably noticed the installation screen warning that the application you’re installing will have unrestricted system access. I’m frequently asked by developers how they can get rid of this warning, lest it scare off some of their customers. The short answer: you can’t.

When we developed the installation screens for AIR, one of our major goals was to make sure they were informative. Installing an application on your machine is a big deal. You’re trusting code that someone else wrote to not steal or destroy your information. If you’re going to do this, you ought to be well-informed regarding what you’re installing and what risk you’re taking.

The “unrestricted system access” warning is there to make sure you know that, once you install this application, you’re trusting it to behave. No one else is going to keep an eye on it for you.

Some future release of AIR might offer to perform this function for you–that is, restrict the system access of certain applications. With that capability, you might make different decisions about which applications to install. But that’s all theoretical for now. Right now, all application are unrestricted. Even if they don’t need to, say, access the filesystem, they still can. So that warning shows up every time.

How do you know, then, which applications to trust? I recommend making that decision based on the publisher’s identity–the other major piece of information on that first installations screen.

24 Responses to AIR’s Unrestricted System Access Warning

  1. Tek says:

    The only criticism on the internet regarding Air is security and that Air can access the file system.Why not display the warning you are talking about before each time the application ask to access the file system (and what folder or file in the file system). Of course you could offer an option to ask to never display this warning again.Actually everything works like that, windows firewall, anti-viruses, user trust this sort of warning.Users must trust Air ! 🙂

  2. This Unrestricted Access thing is pretty scary as an end user. Don’t think it’s good enough for you to say Trust Us.

  3. David Tucker says:

    @Tek – They key thing to remember here – is that AIR applications are desktop applications. The examples you gave are for utilities as opposed to functional applications.I don’t believe any user would be satisfied if Microsoft Word prompted them everytime the application attempted to access the file system.I think that the install dialog might need to be tweaked in some way, but I do not believe that there should be some kind of dialog before accessing system resources.

  4. Tony Fendall says:

    Dialogs are a terrible idea. I hope things never go that way.I do think that the warning doesn’t need to appear in the installer however if the app isn’t going to have filesystem access for example. The compiler knows which packages are being included in the application, so surely it could adjust the warning to suit.

  5. Tom Esposito says:

    I’m in this situation right now. I purchased a Thawte cert and expected the Warning sign to go from red to green. Instead, it’s yellow. It’s fine if you want to warn the user about unrestricted file access. But if the publisher has a cert, the icon should be green. This would tell the user that installing this program could be harmful, but the publisher is trusted. That’s my only beef.

  6. chris rosa says:

    I think the main problem with this is that “system access” isn’t very well defined. As an admin, I take it to mean the worst. Root access for instance.From an interface perspective it’s not very appealing to the enduser. The red circle with a cross through it means something is wrong; don’t proceed. A happy medium would be to just make it green like the “publisher identity” checkmark with “STANDARD” or something of that sort, and a description of the access it has.I appreciate your security concern. I just think it could be handled in a different manner that wouldn’t be so off-putting.Imagine going to kiss a girl (for instance), and she has a sticker next to mouth that says “contains bacteria”. Not appealing.

  7. I echo the sentiments of Tony above. I spent $300 on a Thawte “identity” cert for our application and I could have just saved the money.Every application installed on a computer has access to the file system. It is ridiculous for us to be required to have an identity cert and then punish us for using YOUR product.

  8. I’m sorry, but the main point for me is that I bought a Mac and run logged in as a regular non-admin user. This is for my own protection. It’s also why I abhor applications like AIR (and MS Office) that ask for my admin password. My rule: I must be extremely motivated by lust and desire before I will give a program permission to do anything outside of my regular account. In my opinion, if a Mac app won’t install via drag-and-drop to the folder of my choice, it’s got a problem. No. One. Needs. Root. Access. Sadly, this means I won’t be using Twhirl or other cool AIR apps…

  9. Oliver Goldman says:

    @Matthew: Actually, sometimes root access is required. For example, AIR installs into /Library/Frameworks, per Apple’s guidelines. And that location requires root access to write to, again per Apple’s guidelines. Hence you get asked for an admin password when installing AIR.On the other hand, we went through great lengths to make sure we don’t ask you for that password unless necessary. So if you’re installing an AIR application to a folder (/Applications, etc.) that doesn’t require admin access you won’t be prompted.Further, all of this is really a separate issue from the unrestricted access warning. AIR applications don’t, of course, run as root. In that sense, they are restricted to the set of things that can be done from a user account. But even that set of things is dangerous if you don’t trust the application; even if a malicious application can’t trash your machine, that would certainly be enough access to trash your account.

  10. Oliver Goldman says:

    @Mike: On the contrary, your Thawte certificate now allows you to get your company’s name in front of your end users in a reliable, trusted way. The ridiculous thing is that other installation mechanisms don’t provide these kinds of guarantees.

  11. Dallan Quass says:

    I think the problem with the yellow ? and the red “System access: Unrestricted” warning is that other applications you install *don’t* have this warning, so it appears to most end-users that installing an AIR app is somehow much worse than installing a regular application.If I’m an average windows user and I install .exe’s from trusted sites and never get a warning like this, and then I install an AIR app and get this scary warning, what am I supposed to think? Obviously Windows must be telling me to be extra-careful about this app because it’s about to do things that none of those other applications can do.That’s why I think that the warning needs to be toned down for signed app’s — because it gives the impression to the average user that the app is getting greater access to the system than the .exe’s that people download all the time.

  12. rob A says:

    I have to agree that your warning is over the top. Signed applications can still display the warning, but recognise the difference between trusted and un-truted. And if security is really such a big deal to you put some effort in to doing it properly by allowing applications to request the access level they need, not this half-arsed effort which pleases nobody except the person whose brainchild it was.

  13. Terry R says:

    So is this (it’s 2009 now) till not cleared up? You mean I still can’t put any code in here that turns off system access for a very simple widget (like, don’t import) and avoid the macabre system access warning?[So you’re asking if, in the less than one year since AIR shipped, we’ve added a feature that requires significant effort to implement and is not among the most frequently requested? No, we haven’t done that yet. —Oliver]

  14. Just to add another vote the dialog is OTT. Espcially when you’ve just bought a certificate.Take away the red cross next to system access and replace it with the yellow question mark.The red cross shouts there is something wrong. Rather than there is something you should be careful with.

  15. Aaron says:

    I think that if you’ve gone to trouble of getting a valid certificate and parting with $200-$400 per year, then you are a serious developer, and the Red cross next to the system access, should be toned down to a yellow question mark.I’ve had a couple of users question me on what it means for them, and that it scared them a bit.For unsigned apps, there should definately be 2 big red crosses.

  16. Jason Benson says:

    I understand the want to appeal to the best practices and applaud Adobe for helping pave the way.However other no other application framework has a security warning like this when the application is signed by a trusted issuer.Java applications need to be signed as well however once signed the warnings are basic, to the point and do not create FUD. All the warnings on the Air installers do is create a level of FUD that is in my opinion unacceptable to a professional developer.I appreciate that Adobe provided an installer routine and management routine but this appears to be yet another reason to use custom installers and environments that support them.

  17. Ann says:

    i always cancel an install when I get this warning. The publisher is always undetermined (e.g. for TweetDeck) and the access is always unrestricted. As an end user this is a huge stop sign that dissuades from installing ANY Adobe Air App.

  18. Joel says:

    A not so small message to say, that, for regular users, installing an Air app even with a paying CERT looks still much more frightening than installing a C application.It is plain nonsense.On the end we have users that won’t install the AIR version of our app and we’ll have to communicate concerning the web version, and leave the AIR app by the side.A pity.The least I expect is some process that would allow to have something green at the top of the installer.I can imagine a process:one has to send the code of the app to some place (Adobe would be a fine place for me).The code is examined automatically by a Source Code Static Analysis Tool for major security issues. Even obfuscated code could be analysed. Or some other solutions.And even for a higher insurance (greener) level you could have manual code review.I believe the process can be made automatic at a reasonnable price. I know of big companies working on such an automated process. And i could even setup such a process if there was a will at Adobe.But mainly there is a need for us to give engaging installers to end users.I hope that Adobe will soon help us a bit more in distributing AIR apps.Best,

  19. Cameron says:

    If you can’t make AIR stay out of the system YOU are doing something wrong Adobe.As an end user I won’t run AIR apps until you let me install them where I want which means outside the system directory.You are becoming worse than microsoft. Thanks for dragging us back into the dark ages.I will stick to browser based apps offered by the competitors of the companies trying to get me to install AIR apps.[Not sure what you mean by “system directory”. AIR installs only to the locations recommended (by Microsoft, Apple, etc.) for third-party applications. These are not system directories. —Oliver]

  20. Jonathan says:

    We just ported a major app to AIR and signed it, and now potential customers are refusing to install the demo because of the horrifying “Unrestricted System Access”.This is not good. And not even accurate. It really looks like Adobe is foiling a potential hacker intrusion.How about rewording to make it more informative: “Grant this application file system access?”[We’ve heard this one loud and clear. A revised version of this screen will appear soon. —Oliver]

  21. wtf says:

    I agree that it is good being truthful and honest with your users, but pointing this out is just calling attention to something that is negative and not really helpful to the users.It just begs the question: how to I restrict access? and has this app REQUESTED this access? Implies that there are different types of access…

  22. Laurence Lok says:

    This may be the single downfall of Adobe AIR and a very poor design choice. As a usability expert working on sites like Laurel Crown Furniture let me say: Users will not use something that may be harmful to their computers even if the source looks reputable. In this day and age there are simply too many people trying to take advantage of unsuspecting users through malware, spyware, bots etc. Hence, people will discount AIR from the start (no matter how great the apps are) in favor of your competitors.Now that I know you’ve made such a stupid design choice I will go and start installing AIR applications that I’ve been dying to try. Just know that before this I never installed a single application because they all wanted “Unrestricted Access” to my computer and I said “No thank you.”

  23. John says:

    How the situation looks now with signed applications? Do they still include yellow warning?When some modifications will be relased? With AIR 2? 2010?[It looks like the dialog shown in this post. —Oliver]

  24. DaveCS says:

    That warning was a showstopper for me. It’s malicious looking in itself. I have a popular web app that I ported (with more powerful features) to Silverlight, WPF and AIR.

    The Silverlight warning is bad, the AIR warning is horrific so I am sticking exclusively to the WPF app. I can control the entire setup dialog.

    I do have many Mac users and wondered how I would accommodate them. For now I’m not.

    I will not do any further AIR development in the future either.