Security sandboxes

AIR provides a comprehensive security architecture that defines permissions for each file in an AIR application. This includes both those files installed with the application and other files loaded by the application. Permissions are granted to files according to their origin, and are assigned to logical security groupings called sandboxes.

Files installed with the application are in a directory known as the application directory, and as such, they are, by default, placed in a security sandbox — known as the application sandbox — that has access to all AIR APIs. This includes APIs that would pose a great security risk if made available to content from sources other than the application resource directory (in other words, files that are not installed with the application).

The AIR security model of sandboxes is composed of the Flash Player security model with the addition of the application sandbox. Files that are not in the application sandbox have security restrictions like those specified by the Flash Player security model.

The runtime uses these security sandboxes to define the range of data that a file may access and the operations it may execute. To maintain local security, the files in each sandbox are isolated from the files of other sandboxes. For example, a SWF file loaded into an AIR application from an external Internet URL is placed into the remote sandbox, and does not by default have permission to script into files that reside in the application directory, which are assigned to the application sandbox.

Note: On iOS, the execution of downloaded code is not permitted.

Privileges of content in the application sandbox

When an application is installed, all files included within an AIR installer file are installed onto the user's computer into an application directory. All files within the application directory tree are assigned to the application sandbox when the application is run. Content in the application sandbox is allowed the full privileges available to an AIR application, including interaction with the local file system.

Many AIR applications use only these locally installed files to run the application. However, AIR applications are not restricted to just the files within the application directory — they can load any type of file from any source. This includes files on the user's computer as well as files from external sources, such as those on a local network or from the Internet. File type has no impact on security restrictions; loaded HTML files have the same security privileges as loaded SWF files from the same source. (However, content in the application sandbox is restricted from loading JavaScript files from outside that sandbox. Details are provided in the developer documentation.)

Content in the application security sandbox has access to AIR APIs that content in other sandboxes is prevented from using. For example, only content in the application security sandbox can read and write to the local file system.

Some JavaScript techniques exist for dynamically transforming strings into executable code. Content in the application security sandbox can only use these techniques while code is loading from application URLs. Using these techniques within the application sandbox would pose a security risk. For example, an application could inadvertently execute a string loaded from a network sandbox, and that string may contain malicious code, such as code to delete or alter files on the user’s computer or to report back the contents of a local file to an untrusted network domain. Details are provided in the developer documentation.

Note: In mobile AIR applications, HTML and JavaScript cannot be loaded into the application sandbox. Mobile AIR applications display such content using the system web control. This control has the same security considerations as the default system web browser.

Privileges of content in non-application sandboxes

Files loaded from a network or Internet location are assigned to a non-application sandbox. Such content behaves with the same set of privileges and restrictions as SWF content running in a web browser (in Flash Player) or HTML content running in a web browser.

Unlike content in the application security sandbox, HTML code in a non-application security sandbox can use JavaScript methods to execute dynamically generated code at any time.

Code in a non-application sandbox does not have access to the privileged AIR APIs that provide application functionality.

Details are provided in the developer documentation.

// Ethnio survey code removed