As of Adobe AIR 2, desktop AIR applications can run and
communicate with other native processes via the command line. For
example, an AIR application can run a process and communicate with
it via the standard input and output streams.
To communicate with native processes, the developer packages
an AIR application to be installed via a native installer. The file
type of native installer is specific to the operating system for
which it is created:
-
It is a DMG file on Mac OS.
-
It is an EXE file on Windows.
-
It is an RPM or DEB package on Linux.
These applications are known as extended desktop profile applications.
When packaging these applications, the developer signs the application
with a code-signing certificate. The same kinds of certificates
are used as those used in signing a standard desktop AIR application.
The native process API can run any executable on the user’s system.
The AIR documentation provides developers with guidance on using
the native process API securely. Developers are warned to take care
when constructing and executing commands. Applications should validate
data that is sent to a native process.
AIR on Windows prevents extended desktop applications from running
.bat files directly. Command-line arguments to a .bat file could
contain potential malicious injections of extra characters. These
injections could cause the cmd.exe application (which executes .bat
files) to execute harmful or insecure applications.
