How Bad Crossdomain Policies Expose Protected Data to Malicious Applications

The web’s success has been partially due to the sandbox it provides users. Users do not generally have to entirely trust every website they visit because malicious web sites should be sandboxed from doing the user harm. One way that web sites are sandboxed is through a same-origin policy. By default any […]

AIR 1.5.2 offers improved application install process

Last week we released an updated version of the AIR runtime, version 1.5.2, which includes bug fixes related to reliability, compatibility and security – the details of which can be found on the Adobe AIR team blog and in the developer release notes.

This minor update does however also make a change to the install dialogue that is displayed to the user when installing an AIR application. In versions prior to AIR 1.5.2, the user would be presented with the following dialogue when installing an application that had been signed with a certificate-authority issued certificate:

AIR application install dialogue, before AIR 1.5.2

We received feedback from some end-users to suggest that this dialogue, which verified the publisher identity, but which also warned of unrestricted system access, made them unsure as to whether or not the application should be trusted, even if they recognized and trusted the publisher of the application.

From an application publisher perspective, there was no option in the AIR deployment process to package an application with an alternative level of system access, hence additional reassurance was often required, in the form of step-by-step install guides or FAQ documents published online, to reassure the end user that the application was OK to install.

With the release of AIR 1.5.2, the install dialogue for all newly installed applications (i.e. not just those that have been updated to work specifically with the new version), signed with a certificate-authority issued certificate, is as follows:

AIR application install dialogue, as of version 1.5.2

This simplified dialogue removes the specific warning about unrestricted access, but still (correctly) challenges the user to answer the question “Are you sure you want to install this application to your computer?”. Most end-users I’ve spoken with understand that “installing” something requires a certain level of trust and I think the revised dialogue is more in line with existing OS dialogues and more appropriate to the level of risk involved.

For application publishers it should remove some of the overhead that was required to support end-users during the installation process and remove a concern that might otherwise have put them off completing the installation.

It should be noted that there has been no change to the dialogue for self-signed applications – this dialogue, quite rightly, makes it clear to the end-user that there is increased risk associated with the installation of the application.


You can download the latest version of the AIR runtime from here.

New content on the Adobe Developer Connection

Flex developers: Secure your applications with the Flexible Chimp project and Spring BlazeDS Integration project. Ryan Knight and Jon Rose show you how in their article, Enterprise security for Flex.

If you want to learn more about ActionScript programming in Adobe Flash CS4 Professional, you’ll want to watch Doug Winnie’s recent ActionScript video tutorials. In these videos, Doug teaches designers how to code interaction and animation, as well as basic programming concepts. Also be sure to check out the Components Learning Guide for Flash CS4 It will help you reduce your development time and effort by using building blocks for creating rich interactive applications on the web.

For the more advanced crowd, ActionScript expert Colin Moock’s Lost ActionScript Weekend turns a fireside chat with friends into a series of real-world lessons about ActionScript 3.

To get e-mail updates of our new content, subscribe to our newsletters: News Flash, The Edge, and the ADC update. You can also visit the Adobe Developer Connection to check for new content.