Security: a shared responsibility

Ultimately, RIA security rests with everyone involved in the application life cycle. End users trust the developer to adhere to best practices and standards.

Aside from recommended development methodologies, security for AIR applications begins with installation on the user’s computer:

• The initial installation workflow cannot be modified.

• Applications share a streamlined and consistent installation process that is consistent across all web browsers and operating systems.

• Installation is administered by the runtime which cannot be manipulated by the installed application.

• Installer files must be digitally signed so that users can verify the code’s origin and determine the application’s access privileges.

• The runtime provides memory management to minimize vulnerabilities such as buffer overflows and memory corruption.

Responding to any security concern ultimately adds to the developer’s burden. However, the AIR security model attempts to reduce the complexity of writing and maintaining secure code.

Refer to the AIR developer documentation for a list of best practices. Among others, these include limiting the use of external files to those which are necessary, not using data from network sources for certain operations, and so on.