Now I want to start this off with the statement that I REALLY like Adobe AIR. I think it is an awesome technology that can allow us to do some REALLY fantastic things, and I would not want to say anything bad about it. I have been using it from a project that would have been out of my reach without it.
I also want to point out that I am NOT saying that you should not install AIR applications. AIR applications, like I said, are really cool and can do some neat stuff. But, like any desktop application, they can be written to be malicious.
I will reiterate that. Like any desktop application, they can be written to be malicious. That's right, an Adobe AIR application is a desktop application. And when you run that application, it runs with the same operating system rights that you, the user, have. This means that the AIR application has the same read and write access to the local file system that the user does.
To test this out, I created an AIR application using HTML and jQuery. My application looks for a specific file on the user's desktop and reads the content of that file. It then loads the content of the file to a div on the screen letting the user know that the data was stolen from their desktop. The application also, for the sake of security testing only, uses jQuery's $.ajax() method to send that data to a remote server where it can be stored. Since AIR does not have a Cross-Domain request restriction, this is not a problem.
Thank you Ben Nadel for being my guinea pig to test this out.
At first I thought to myself that this was pretty scary stuff. I was NOT arrogant enough to think that I had stumbled across some HUGE security hole in AIR that no one else had found, but I did wonder why I had never heard a discussion about this.
Perhaps others take it for granted, but it then occurred to me that an AIR application is just another desktop application. Nothing that I have said above is unique to AIR applications. Any desktop application has the same privileged access to the local file system. Any desktop application could be written to harvest information off of the user's machine and send it to a remote location.
The big difference that I see, even in my own behavior, is that with AIR applications, I never stopped to think about it. When I set out to look for a new desktop application or when I am encouraged to install something new, through a recommendation, or even from a random email, I see that .exe extension and I stop and think. I take the time to scan it for viruses. If I am searching for the application, I make sure that I download it from a reputable source, like download.com. I have never done that with an AIR application. I would see that shiny badge on someone's web sites and say "OOOOooooooOOo Shiny", and then I would click it. And if I would get that error about it being an unsigned application, I would click right through. I can't be bothered with that kind of a warning, right? It's not shiny.
Again, this is NOT a warning against AIR applications. AIR applications are awesome. This is a warning against installing without thinking. I think we've gotten a lot better about thinking before running .exe files (or whatever you Mac users have), and some of us even stop to think before clicking on .bat, .wmv, .jar, and others. I am simply suggesting that you take the time to think about the AIR applications you are installing as well. Especially since that shiny badge can sometimes hinder our critical thinking processes.
Oh, and do not ignore those warnings about digital signatures. They are there for a good reason. A digital signature that is issued by a trusted third-party vendor can assure the customer that the application that is being installed is from the publisher that they expect. To learn more about digitally signing AIR application, you can read this Adobe devnet article.