On May 20, 2009 at the 360|Flex conference in Indianapolis I gave a presentation titled “Adobe AIR data privacy and security.” As I always do (and after a bit of a delay), here are the slides from my presentation. I’ve added fairly lengthy notes to the slides (I had to make the font smaller so they’d fit on the pages) so it’s more than just bullet points.

Adobe AIR data privacy and security slides, notes, and links (1 MB .zip)

As a side note for those who actually attended the presentation, in retrospect I think I over-emphasized the security concerns and didn’t emphasize enough that there are plenty of use cases for which AIR is definitely secure – especially in the case where you need to keep the user’s private data secure. Hopefully the notes that accompany the slides help to clarify this somewhat.

I also used and referred to a number of resources in my presentation, which are listed below. The download .zip with the slides also includes an html page with all these links.

Introduction

• "Maintaining security with Adobe AIR" by Ethan Malasky and Peleus Uhley (Adobe MAX 2008)

Background

• "AIR security" (Adobe AIR documentation)
• "Why Adobe AIR Doesn’t (Yet) Include the Feature You Most Want" by Oliver Goldman
• "Understanding the Flash Player Security Model" by Deneb Meketa (Adobe MAX 2008)
• "Considerations for using encryption with a database" (Adobe AIR documentation)
• "Using digital rights management" (Adobe AIR documentation)
• Operating system security (user and "admin" rights)
  • "What are Adminstrative Rights, Anyway?" by Oliver Goldman
  • "Does Installing an AIR Application Require Admin Rights?" by Oliver Goldman
• Source code visibility
  • Action Script Viewer (ASV)
  • "Ethical SWF Decompiling" by Lee Brimelow
  • Nitro-LM
• Encryption: ActionScript crypto libraries:
  • as3crypto
  • OpenSSL (partially) cross-compiled to ActionScript using Alchemy

AIR application installation

• Sign your app with a trusted cert
  • "Code Signing in Adobe AIR" by Oliver Goldman
  • "Digitally signing Adobe AIR applications" by Todd Prekaski
  • Promotion: get a free signing certificate (while supplies last) by submitting your app to the Adobe AIR marketplace
• Plan for updates
  • "Building AIR applications that can be easily updated" by David Deraedt
  • "Using the Adobe AIR update framework" Quick Start article by Jeff Swartz (Adobe AIR documentation)

Modular applications

• Sandbox bridge
  • "Scripting between content in different domains" (Adobe AIR documentation)
• XML signature validation
  • "Creating and validating XML signatures" by Joe Ward
  • "Using the XML signature validation classes" (Adobe AIR documentation)
  • "flash.security package" reference (Adobe AIR documentation)

Local shared objects

[No links]

Encrypted Local Store

• "Storing encrypted data" (Adobe AIR documentation)
• "EncryptedLocalStore class" reference (Adobe AIR documentation)

Local files

[No links]

Local SQL database (SQLite)

• SQL injection attack
  • "Using parameters in statements" (Adobe AIR documentation)
  • "SQLStatement.parameters property" reference (Adobe AIR documentation)
• Encrypted database
  • "Using encryption with SQL databases" (Adobe AIR documentation)
  • "Using the EncryptionKeyGenerator class to obtain a secure encryption key" (Adobe AIR documentation)
  • as3corelib project (includes the EncryptionKeyGenerator class and hashing algorithms