Security is a key concern of Adobe, users, system administrators,
and application developers. For this reason, Adobe® AIR® includes a set of security rules and controls
to safeguard the user and application developer. This white paper presents
the security considerations in using and developing applications
for Adobe AIR.
Although the AIR security model is an evolution of the security
model for SWF content running in Flash® Player
and HTML content running in the browser, the security contract is
different from the security contract applied to content in a browser.
This contract offers developers a secure means of broader functionality for
rich experiences with freedoms that would be inappropriate for a
browser-based application.
AIR applications run under the same operating system security
constraints of other, native applications on a given computing device.
In general, these constraints allow for broad access to operating
system capabilities such as reading and writing files, drawing to
the screen, and communicating with the network. Operating system
restrictions that apply to native applications, such as user-specific
privileges, equally apply to AIR applications.
AIR applications are written using either compiled bytecode (SWF
content) or interpreted script (JavaScript, HTML) so that memory
management is provided by the runtime. This minimizes the chances
of AIR applications being affected by vulnerabilities related to
memory management, such as buffer overflows and memory corruption.
These are some of the most common vulnerabilities affecting desktop
applications written in native code.
Note:
This white paper discusses security-related
issues in Adobe AIR. The following developer documentation provides
technical details on developing secure AIR applications and considerations
in using the AIR APIs:
-
For ActionScript (Flash and Flex) developers, see
AIR Security
in the ActionScript 3.0
Developer’s Guide
-
For Ajax developers, see
AIR Security
in the HTML Developer’s
Guide for Adobe AIR
