AIR Security Criticisms

 
 
By Darryl K. Taft  |  Posted 2008-03-03
 
 
 

Adobe Floating on AIR


Adobe Systems in February launched its Adobe Integrated Runtime, or AIR, a new technology that lets developers use proven Web technologies to build rich Internet applications that deploy to the desktop and run across operating systems. At the Adobe Engage 08 event in San Francisco Feb. 25, eWEEK Senior Editor Darryl K. Taft spoke with Adobe Chief Technology Officer Kevin Lynch about AIR and a host of other issues.

As far as AIR deployment, why not just put it in Flash?

Well, the Flash player right now is still quite small in terms of its download and we still see that as being an important factor in the distribution and the rate of updates that we're getting with Flash. Right now, Flash Player 9 is being installed at the rate of about 12 million a day. It's one of the fastest distributions of technology I know about. This means we can update Flash across the Web-we can get over 90 percent penetration across the Web in over a year now with people updating it.

So size is part of that. And, of course, with bandwidth increasing, it may be possible to make the client technology bigger over time. But we see other opportunities for getting AIR out, so we don't have to necessarily include it with Flash to do that. There are a couple of ways.

One is we distribute [Flash] Reader. Reader is a larger download than Flash Player. Reader is a 30 or 40MB download right now. And so what we are looking at doing is making an application around AIR that we will include with Reader and that will also include the AIR runtime. And that will be one way that we'll get distribution. But over time, the biggest way that we'll drive distribution is applications using AIR.

That's the same way we distribute Flash today, where you go to a Web site that says in order to use this you need to get Flash Player. So most people have it now, so over time that will be the same mechanism that pulls AIR, but we'll also push it a little bit with things like Reader. So we should see fairly quick adoption of AIR, based on the applications I've seen and also our focus on getting it out.

But isn't the Flash Player only about a 500K download? Couldn't you just up that a little, as you said bandwidth is increasing?

The Flash Player is a little over a megabyte right now. But we're very cautious about increasing Flash Player's size. Although each release gets a little bit bigger as we add a new codec or other features to it. And we'll do that again in the next major Flash Player update. But we're just being cautious. The Flash Player team has a very intense focus on efficiency and performance and keeping the size of the player down.

When are you planning to, or are you in fact planning to, open-source Flash?

Well, we've already open-sourced portions of Flash. If you look at the core of the Flash Player, the virtual machine, that is now open source. That just happened last year. We actually took the virtual machine and we contributed that source code to the Mozilla Foundation. So not only is it open source, we've actually contributed the code to the Mozilla Foundation.

Open-Sourcing Flash


That's Tamarin you're referring to?

Yes, that's Tamarin. So the Flash Player team is actually working in that open-source tree on upcoming versions of that virtual machine that we'll put in Flash Player and also bring it to mobile devices and you can see the work going on there in the open-source project. And others can contribute to it. We're starting to see that happen now, which we're excited about. So that's a first step for us. It's a big step since it's the core execution engine inside Flash.

And we've also open-sourced the framework, Flex. Flex is free and now open source. And there's a public bug database and you can look at all the source and you can contribute changes back. So we're really open-sourcing significant parts of the technology already.

We want to make sure we get good experience managing the projects and taking changes back, and kind of being a good steward of the projects. So we're learning about that right now. It's a transition for us to adopt the open-source methodology, basically.

So you said Tamarin was a first step. Does that mean you're going to do a second, third, fourth step and so on until Flash is fully open source?

I think you'll see increasingly more open technologies from Adobe. Openness is part of our soul, even back to the early days of the PostScript standard and PDF. We publish the SWIFT format we have since 1998 and so that's part of who we are, and source code now is the next transition that's part of that. But we want to do it in a way that's thoughtful and that we manage it well and that we still ship high quality software and we're able to innovate fast. We can do that with open source, we just want to make sure we do it well.

I've watched this ongoing competition between Adobe and Microsoft. What do you think they need to do if they want to one-up AIR?

(Laughter) Well, it's interesting that they've not yet done something that is equivalent to AIR-that is a cross-operating system runtime for applications. The closest they've done is Silverlight in the browser versus Flash Player. And, in my view, this is the next generation of how people are going to be building applications-cross-operating system.

It's the next layer of abstraction on top of what is now the operating system. If you look back on what is now the history of computing, we've been building up these layers over time from initially toggling software into a machine, to assembly language, high-level languages, APIs, frameworks, user interface guidelines, OS APIs. That keeps layering on over the decades. I think we're at that next stage now where this new layer is emerging of the Web really, and how the Web is changing software.

So I haven't yet seen something from Microsoft that does that, and to some degree, they're not really motivated to do that because Windows is a big part of their business currently.

AIR Security Criticisms


Well, what about an offline Silverlight capability? Would that do it?

In order to do it well, your heart has to be in it. And if you look at what we're doing right now with our technologies like Flash and AIR, we're making sure they work reliably across operating systems. So that means Mac and Windows, but also Linux. We're releasing Flash Player now simultaneous for Mac and Windows. It took us a while to get their and now we're doing that, and it's the same core code.

If you look at what Microsoft is doing with Silverlight, they're not actually building the Linux version off the same code base. It's a new code base, which is unlikely to be compatible with the other code bases because it's just not built the same way. So there'll be different idiosyncrasies and we know that will be a problem. So we're really taking a passionate approach to reliability across OSes. And you really have to have that as the core essence of what you're doing or it won't really work that well. And that's what we're doing with Flash and with AIR.

And if you look at what AIR is doing with its capabilities, it's really far out ahead right now. We started building AIR early and we had a vision of what we thought would be a use case in the future for these applications to come on the desktop. At the time it was still the early days of rich Internet applications and people were still trying to figure out what that meant inside the browser.

So I think we made a long-term bet a while ago and we happened to hit at a time when people were really interested in solving some of the problems that AIR does now.

Sometimes you come out with a technology where the technology is ahead of its time or you come out when there are already 24 things out. We happened to hit something and I think right now we're there where it took us a while to build it, but it happened to come out at time when people are interested.

So how do you address the criticisms about security with AIR?

Well, AIR has a good security model. We are very much focused on security with AIR. The applications you install are signed, so as a user you can decide whether you trust that person or not.

If you don't trust someone who is offering you an AIR application, I don't recommend you install it because AIR applications do have access to your local information and that's what makes them more like a native application. But if you do trust them, then you're giving them rights to access your local data and it makes it a more productive application experience.

One thing we did look at is how to enable these applications to be secure once you have installed them and you have trusted that person who developed them. There's a lot more complexity to security beyond that, too, in that code can be inserted in ways that you may not have anticipated.

Like if you a have blogging application and people can type whatever they want in the blog entry and you happen to type some JavaScript into that blog entry ... What does the application do? Is that code executed?

So we've given a lot of thought to the complete security model across that range of use and to protect applications from that kind of unforeseen situation where code is injected. And I think if you look how we have introduced that model of security in AIR it's very forward-thinking. And we've looked at how the browsers, which have the same problem right now, where code can get injected that way. We've introduced a model to actually handle that situation and prevent it.

Support for Linux


You mentioned support for Linux with AIR. Can you expand on the importance of Linux for you guys and where you're headed with it?

The more diversity in operating systems, the better off Adobe is, because we make software that runs across operating systems. Whether that's Reader and PDF or it's Flash Player and AIR, one of the things that people really like about the software we make is that it works really well regardless of which OS you have.

Even going back to the early days of PDF, it was like, which word processor do you have? You used to have to have the same word processor to read a document, but with PDF it worked across them all. That's our expertise as a company.

So Linux adds more diversity; that's good. And I think if you look at how the economics are changing for software, then Linux is free and AIR is free, and the value's really now in the applications and services that are provided on top of those things.

So I think it's perhaps time for Linux to get used by more people. But it's really going to be whether the user experience is going to be good enough to enable that to happen. Part of that's the Linux OS itself and part of that's the applications on top. With the applications on top, I think we can really help with AIR and bring a lot of applications to Linux where people developing those apps will not even expect that they will run on Linux, but it will just work because it's running on AIR.

Who is better at designer/developer workflow, Microsoft or Adobe? Do you concede that to them?

No. I think that the workflow between designers and developers is very important, and we've realized that for a long time. The history of Adobe is about teams working together to create great things. And if you look even at the early days of multimedia or CD-ROM authoring, that was developers and designers working together to create these experiences. And designing tools to enable those groups to work together is tricky and we've been doing it for a long time.

Now with rich Internet applications, we've got the Creative Suite tools, which are the leading design tools in the world. We've got PhotoShop and DreamWeaver and Illustrator and all kinds of great tools in there, and that's what the design community is primarily using right now. And we've got out now Flex and the FlexBuilder tooling and developer tools, and the software already works together.

For example, you can, as a designer, use Illustrator to draw a skin for your application and you can actually import that skin in FlexBuilder as part of your application development process. So we're gluing together these applications in ways already to help these teams work together effectively.

I think it's a really important problem to solve and it's one we've been focused on for a long time and do great at. And we're leveraging the fact that designers already are really attracted to the tools that we currently make. I think it's a hard road to get those folks attracted to something else.

Adobe and Google


What's the status of the Adobe relationship with Google about Google Gears?

That's a project Google's been working on, and they used SQLite in Gears for local storage and we use the same database in AIR for local storage. So the relationship is we both use the same open-source local database, and we thought it would be a good idea to try to line the APIs up across those two things so a developer could make an app that would work with Gears and work with AIR. and both teams were actually too far along in their first version to actually make that shift. So they're kind of continuing on their own paths now.

And what we're seeing is at the framework level-the different AJAX frameworks-people are starting to provide that continuity across the two different mechanisms. So I think it's just two different approaches to how to enable these applications to work offline. But that is just one aspect of what AIR does. AIR is not just about working offline; it's also about integrating with your local machine and looking like a native application and a whole host of other things.

What's your software as a service story?

We're starting to build hosted services and software delivered as a service. There are a few examples right now. There's a premier Express, which is a rich Internet app that's built with Flex and is running in the browser and on Flash it enables you to remix videos. And it's running on YouTube and MTV and PhotoBucket.

It's a free application on their sites, so users can use it for free. But it's advertising-sponsored and Adobe shares in the ad revenue. So that's an example of how we're delivering software in a new way.

And we're also working on some new services, one of them is code-named Share. It enables you to store documents and share them with other people and control who can see it and things like that. And we're working on some other services as well. So you'll see more and more of that coming from Adobe-other hosted services and rich Internet applications, because we really think that is the future of software; hat is how people are going to be getting software and using software.

So we're in a situation where we're helping to enable that revolution with things like AIR. While at the same time, we've got a large inventory of software built in the traditional way. So as a company we are also making that transition and starting to use all of our expertise and teams and existing code and algorithms into this new world of rich Internet applications.

How big of a portion of the company do you see that becoming?

It's hard to tell. I think ultimately most software will be consumed in this new way over the next five or 10 years. This is a tidal shift in how software is made and used. So Adobe has to make that transition or we won't be as relevant a software company over that long period of time. We know that we're very focused on not only enabling that transition to happen, but participating in it ourselves.

And that's one of the great things about working in some of these technologies is that we can enable things in AIR or in Flash Player to make these applications work better and run faster.

Do you have any plans to do an AIR-based browser?

Well, AIR is really different than the browser. Now it has an HTML engine in it, WebKit, which is open source, by the way. So one could build an application that went to different Web pages, but there's not too much point in doing that because there are already browsers out that do that pretty well.

But building application user interfaces that pull data in and use it in neat ways is where a lot of work is happening. People could build a browsing experience, but I'm not sure people will or not. That's not the main focus of AIR certainly.

Rocket Fuel