| Adobe AIR 1.5(Not your version?) | 
PDF (256K)
|
| Adobe AIR 1.5(Not your version?) |
PDF (256K)
|
|
|
Accessing the file systemApplications running in a web browser have only limited interaction with the user's local file system. Web browsers implement security policies that ensure that a user's computer cannot be compromised as a result of loading web content. For example, SWF files running through Flash Player in a browser cannot directly interact with files already on a user's computer. Shared objects can be written to a user's computer for the purpose of maintaining user preferences and other data, but this is the limit of file system interaction. Because AIR applications are natively installed, they have a different security contract with the end user. This contract between the application and the end user is made at install time just like native applications, and it includes the capability for the application to read and write across the local file system. This freedom comes with a higher degree of responsibility for developers. Accidental application security gaps jeopardize not only the functionality of the application, but also the integrity of the user’s computer. The developer documentation includes an “AIR Security” chapter that addresses best practices. Unless there are administrator restrictions applied to the user’s computer, AIR applications are privileged to write to any location on the user's hard drive. However, developers are encouraged to use the user- and application-specific application storage directory that the runtime provides for each application. The AIR API provides convenient methods for developers to read and write data in the application storage directory. The runtime also provides an encrypted local data storage area unique to each application and user. This allows applications to save and retrieve data that is stored on the user’s local hard drive in an encrypted format that cannot be deciphered by other applications or users. A separate encrypted local store is used for each AIR application, and each AIR application uses a separate encrypted local store for each user. Applications may use the encrypted local store to store information that must be secured, such as login credentials for web services. AIR uses DPAPI on Windows and KeyChain on Mac OS to associate encrypted local stores to each user. The encrypted local store uses AES-CBC 128-bit encryption.
|
