Think twice before installing that AIR application

Now I want to start this off with the statement that I REALLY like Adobe AIR. I think it is an awesome technology that can allow us to do some REALLY fantastic things, and I would not want to say anything bad about it. I have been using it from a project that would have been out of my reach without it.

I also want to point out that I am NOT saying that you should not install AIR applications. AIR applications, like I said, are really cool and can do some neat stuff. But, like any desktop application, they can be written to be malicious.

I will reiterate that. Like any desktop application, they can be written to be malicious. That's right, an Adobe AIR application is a desktop application. And when you run that application, it runs with the same operating system rights that you, the user, have. This means that the AIR application has the same read and write access to the local file system that the user does.

To test this out, I created an AIR application using HTML and jQuery. My application looks for a specific file on the user's desktop and reads the content of that file. It then loads the content of the file to a div on the screen letting the user know that the data was stolen from their desktop. The application also, for the sake of security testing only, uses jQuery's $.ajax() method to send that data to a remote server where it can be stored. Since AIR does not have a Cross-Domain request restriction, this is not a problem.

Thank you Ben Nadel for being my guinea pig to test this out.

At first I thought to myself that this was pretty scary stuff. I was NOT arrogant enough to think that I had stumbled across some HUGE security hole in AIR that no one else had found, but I did wonder why I had never heard a discussion about this.

Perhaps others take it for granted, but it then occurred to me that an AIR application is just another desktop application. Nothing that I have said above is unique to AIR applications. Any desktop application has the same privileged access to the local file system. Any desktop application could be written to harvest information off of the user's machine and send it to a remote location.

The big difference that I see, even in my own behavior, is that with AIR applications, I never stopped to think about it. When I set out to look for a new desktop application or when I am encouraged to install something new, through a recommendation, or even from a random email, I see that .exe extension and I stop and think. I take the time to scan it for viruses. If I am searching for the application, I make sure that I download it from a reputable source, like I have never done that with an AIR application. I would see that shiny badge on someone's web sites and say "OOOOooooooOOo Shiny", and then I would click it. And if I would get that error about it being an unsigned application, I would click right through. I can't be bothered with that kind of a warning, right? It's not shiny.

Again, this is NOT a warning against AIR applications. AIR applications are awesome. This is a warning against installing without thinking. I think we've gotten a lot better about thinking before running .exe files (or whatever you Mac users have), and some of us even stop to think before clicking on .bat, .wmv, .jar, and others. I am simply suggesting that you take the time to think about the AIR applications you are installing as well. Especially since that shiny badge can sometimes hinder our critical thinking processes.

Oh, and do not ignore those warnings about digital signatures. They are there for a good reason. A digital signature that is issued by a trusted third-party vendor can assure the customer that the application that is being installed is from the publisher that they expect. To learn more about digitally signing AIR application, you can read this Adobe devnet article.

andy matthews's Gravatar I think that looking for a specific file isn't that big of a deal because you'd have to know in advance that the file existed. A bigger issue might be using AIR to read the contents of say the users "My Documents" folder, and then viewing files therein; or even transmitting those files over the wire to the app writer.

I'd like to see that POC Jason.
# Posted By andy matthews | 5/27/09 10:40 AM
Jason Dean's Gravatar @andy, I was not trying to suggest that looking for a specific file was the major threat. The point is that the application has read/write access to the file system.

Although I will say that looking for a specific file can still be a threat. Looking for password.txt inside of My Documents may yield results more often than we would guess. It could also be a threat if the application is looking for files that will be in a certain place if a certain software package is installed (like if it is trying to find data for a financial software application).
# Posted By Jason Dean | 5/27/09 10:46 AM
Jason Dean's Gravatar @andy - Here you go:

function readLocalFile(){
   var f = air.File.userDirectory.getDirectoryListing()
   $.each(f, function(i, val){
# Posted By Jason Dean | 5/27/09 11:00 AM
John Dowdell's Gravatar Good point and true, thanks.

Web browsers are useful because you can visit any strange site safely (on the good days ;-) . But like you say, AIR apps are desktop apps, and do have local read/write privileges. We shouldn't install desktop applications as casually as we might click on a link to the next hypertext document.

tx, jd/adobe
# Posted By John Dowdell | 5/27/09 1:28 PM
Jason Dean's Gravatar @John, thanks for taking the time to comment. That's a nice way to articulate it.
# Posted By Jason Dean | 5/27/09 1:42 PM
Rey Bango's Gravatar @Jason: John said it perfectly. I think what happens is that people tend to think that the fact that web technologies are used makes AIR applications safer & the reality is quite different. And it's certainly not a problem with AIR as AIR was specifically designed to allow you to use these cool technologies to build desktop apps. This is certainly an issue of education.
# Posted By Rey Bango | 5/28/09 9:51 AM
Jason Dean's Gravatar @Rey, Yes, you are right. It is a matter of education.

I tried very hard to make it clear that I DO NOT think that this is a problem with AIR, but in fact is something that needs to be considered with EVERY desktop application. My intent was to help with that education by pointing out that AIR apps should be treated the same ask desktop apps.

Thanks for the comment
# Posted By Jason Dean | 5/28/09 10:23 AM
Rey Bango's Gravatar @Jason: Oh I know and I didn't see anything in your post that eluded to a problem w/ AIR. I'm just sharing my perspective. :)
# Posted By Rey Bango | 5/28/09 12:39 PM
BlogCFC was created by Raymond Camden. This blog is running version 5.9.1. Contact Blog Owner