AIR Security

We just shipped Adobe AIR 1.0, check it out at!

AIR lets web developers–whether HTML/AJAX, Flex or Flash–build rich and complex applications that run on the desktop. From a security standpoint, the “desktop” part of that is the key.

If you come from a web development background, you find that desktop applications differ significantly security-wise from apps based in the web browser. Desktop applications have direct access to the local system (insofar that the operating system permits, of course), but in return they must be explicitly installed by the user or system administrator.

Adobe requires all applications on Adobe AIR be digitally signed, by either a self-signed or commercial certificate from a trusted Certificate Authority (CA). For the end-user, when an application is signed with a self-signed certificate the installation experience will reflect that the publisher is unknown, giving the user pause as to whether they should continue. So, when developers use a commercial certificate from a trusted Certificate Authority users are more likely to install applications. We’ve worked with trusted Certificate Authorities such as Thawte ( to make it easy to get a digital certificate for code signing. We’ve also enabled administrators to block applications that do not have a signature that chains to a trusted CA.In AIR, we provide a consistent installation experience for all of our supported platforms (Windows, OS X and soon to be Linux). This means that the user is always presented with the same installation dialogs regardless of which application they are installing or the particular platform that they are on. For some additional information on the AIR installation experience see my previous blog entry.Just because AIR applications are bound by the desktop security model, it doesn’t mean that you don’t have to think about security. On the contrary, desktop applications require as much consideration as web applications. This is something we put an enormous amount of effort into. For example, AIR applications have multiple security sandboxes to allow them to interact safely with content on the web.For an overview of the Adobe AIR security model, see the AIR Security White Paper which outlines the security model and provides information on the security sandboxes available to Adobe AIR applications. We’ve also put together another white paper which specifically details the enhancements to the HTML security model to enable applications on the desktop.If you are developer looking at AIR, a great next step would be to check out my introduction to the AIR security model at the Adobe Developer Center.