Overview

Although the AIR security model is an evolution of the security model for SWF content running in Flash® Player and HTML content running in the browser, the security contract is different from the security contract applied to content in a browser. This contract offers developers a secure means of broader functionality for rich experiences with freedoms that would be inappropriate for a browser-based application.

AIR applications run with the same user privileges as native applications. In general, these privileges allow for broad access to operating system capabilities such as reading and writing files, drawing to the screen, and communicating with the network. Operating system restrictions that apply to native applications, such as user-specific privileges, equally apply to AIR applications.

AIR applications are written using either compiled bytecode (SWF content) or interpreted script (JavaScript, HTML) so that memory management is provided by the runtime. This minimizes the chances of AIR applications being affected by vulnerabilities related to memory management, such as buffer overflows and memory corruption. These are some of the most common vulnerabilities affecting desktop applications written in native code.

Note: This white paper discusses security-related issues in Adobe AIR. The “AIR Security” chapter of the developer documentation provides technical details on developing secure AIR applications and considerations in using the AIR APIs:

For Flex developers (http://www.adobe.com/go/learn_air_flex_en)
For Flash developers (http://www.adobe.com/go/learn_air_flash_en)
For Ajax developers (http://www.adobe.com/go/learn_air_html_en)