AIR Security Criticisms

By Darryl K. Taft  |  Posted 2008-03-03 Print this article Print

Well, what about an offline Silverlight capability? Would that do it?

In order to do it well, your heart has to be in it. And if you look at what we're doing right now with our technologies like Flash and AIR, we're making sure they work reliably across operating systems. So that means Mac and Windows, but also Linux. We're releasing Flash Player now simultaneous for Mac and Windows. It took us a while to get their and now we're doing that, and it's the same core code.

If you look at what Microsoft is doing with Silverlight, they're not actually building the Linux version off the same code base. It's a new code base, which is unlikely to be compatible with the other code bases because it's just not built the same way. So there'll be different idiosyncrasies and we know that will be a problem. So we're really taking a passionate approach to reliability across OSes. And you really have to have that as the core essence of what you're doing or it won't really work that well. And that's what we're doing with Flash and with AIR.

And if you look at what AIR is doing with its capabilities, it's really far out ahead right now. We started building AIR early and we had a vision of what we thought would be a use case in the future for these applications to come on the desktop. At the time it was still the early days of rich Internet applications and people were still trying to figure out what that meant inside the browser.

So I think we made a long-term bet a while ago and we happened to hit at a time when people were really interested in solving some of the problems that AIR does now.

Sometimes you come out with a technology where the technology is ahead of its time or you come out when there are already 24 things out. We happened to hit something and I think right now we're there where it took us a while to build it, but it happened to come out at time when people are interested.

So how do you address the criticisms about security with AIR?

Well, AIR has a good security model. We are very much focused on security with AIR. The applications you install are signed, so as a user you can decide whether you trust that person or not.

If you don't trust someone who is offering you an AIR application, I don't recommend you install it because AIR applications do have access to your local information and that's what makes them more like a native application. But if you do trust them, then you're giving them rights to access your local data and it makes it a more productive application experience.

One thing we did look at is how to enable these applications to be secure once you have installed them and you have trusted that person who developed them. There's a lot more complexity to security beyond that, too, in that code can be inserted in ways that you may not have anticipated.

Like if you a have blogging application and people can type whatever they want in the blog entry and you happen to type some JavaScript into that blog entry ... What does the application do? Is that code executed?

So we've given a lot of thought to the complete security model across that range of use and to protect applications from that kind of unforeseen situation where code is injected. And I think if you look how we have introduced that model of security in AIR it's very forward-thinking. And we've looked at how the browsers, which have the same problem right now, where code can get injected that way. We've introduced a model to actually handle that situation and prevent it.

Darryl K. Taft covers the development tools and developer-related issues beat from his office in Baltimore. He has more than 10 years of experience in the business and is always looking for the next scoop. Taft is a member of the Association for Computing Machinery (ACM) and was named 'one of the most active middleware reporters in the world' by The Middleware Co. He also has his own card in the 'Who's Who in Enterprise Java' deck.

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel