Ultimately, RIA security rests with everyone involved in
the application life cycle. End users trust the developer to adhere
to best practices and standards.
Aside from recommended development methodologies, security for
AIR applications begins with installation on the user’s computer:
-
The initial installation workflow cannot be modified.
-
Applications share a streamlined and consistent installation
process that is consistent across all web browsers and operating
systems.
-
Installation is administered by the runtime which cannot
be manipulated by the installed application.
-
Installer files must be digitally signed so that users can
verify the code’s origin and determine the application’s access
privileges.
-
The runtime provides memory management to minimize vulnerabilities
such as buffer overflows and memory corruption.
Responding to any security concern ultimately adds to the developer’s
burden. However, the AIR security model attempts to reduce the complexity
of writing and maintaining secure code.
Refer to the AIR developer documentation for a list of best practices.
Among others, these include limiting the use of external files to
those which are necessary, not using data from network sources for
certain operations, and so on.
