AIR Security Overview

Security is a key concern of Adobe, users, system administrators, and application developers. For this reason, Adobe® AIR® includes a set of security rules and controls to safeguard the user and application developer. This white paper presents the security considerations in using and developing applications for Adobe AIR.

Although the AIR security model is an evolution of the security model for SWF content running in Flash® Player and HTML content running in the browser, the security contract is different from the security contract applied to content in a browser. This contract offers developers a secure means of broader functionality for rich experiences with freedoms that would be inappropriate for a browser-based application.

AIR applications run under the same operating system security constraints of other, native applications on a given computing device. In general, these constraints allow for broad access to operating system capabilities such as reading and writing files, drawing to the screen, and communicating with the network. Operating system restrictions that apply to native applications, such as user-specific privileges, equally apply to AIR applications.

AIR applications are written using either compiled bytecode (SWF content) or interpreted script (JavaScript, HTML) so that memory management is provided by the runtime. This minimizes the chances of AIR applications being affected by vulnerabilities related to memory management, such as buffer overflows and memory corruption. These are some of the most common vulnerabilities affecting desktop applications written in native code.

Note: This white paper discusses security-related issues in Adobe AIR. The following developer documentation provides technical details on developing secure AIR applications and considerations in using the AIR APIs:
  • For ActionScript (Flash and Flex) developers, see AIR Security in the ActionScript 3.0 Developer’s Guide

  • For Ajax developers, see AIR Security in the HTML Developer’s Guide for Adobe AIR

// Ethnio survey code removed