(If you’re curious, you can read the background details below.)

Here’s how you can help:

1. Download the .air file for the test application (339 KB)
2. Double-click the .air file to install it (you’ll need to have Adobe AIR installed already, of course).

3. When the installer gets to the warning dialog, check to see if the certificate is trusted or not. If the certificate is trusted, the dialog will look like this (the circled areas are the specific things to check for):

   

   You can cancel the installation once you’ve seen the dialog — it’s just a super-plain “hello world” application anyway.

4. Leave a comment with your results! If the certificate is trusted (if it looks like the image) leave a “Yes” comment. If the certificate isn’t trusted, say “No” in your comment. In either case, you get bonus points if you add what kind of computer (manufacturer and model name) you tested, what operating system (including version number and language) you’re running, and where (country/city) you live.
5. Repeat the test on other computers you may have access to (parents, friends, roommates, etc.). Spread the word and ask your developer friends to test it out also! I’d like to get a good cross-section of machines, not just developer machines in the United States running the latest OS X or Windows.

Once again, here’s the link to leave a comment with your results.

Background

I got a code-signing certificate from ChosenSecurity. Since they’re not a “big name” Certificate Authority like Verisign, I was worried that the certificate might not be trusted on as many machines. (If on a given machine a chain of trust can’t be established for a certificate you get the “unknown publisher” dialog when you’re installing AIR apps signed with that cert, regardless of whether the certificate is self-signed or not.)

However, since I was getting my code-signing certificate for free, I decided to give it a try and be the “guinea pig” for other developers who might be considering a ChosenSecurity certificate. (The advantages of the ChosenSecurity cert are that it costs less and you don’t have to have a backing company — you can get the certificate as an individual.)

Thanks very much for participating. Remember, this isn’t just for me — this is for all AIR developers who are wanting to get a code-signing certificate for less, but are concerned that the certificate might not be trusted on every machine where they’d like their apps to run.

…and another update Sept. 22, 2009

…and still another update Sept. 25, 2009

If you were following Twitter during the San Francisco Flash Camp on May 29, you might have seen that Arno Gourdol, Engineering manager for AIR, announced/showed a few features that are going to be in the next major version of AIR code name “Athena”.

Today I found the link to the video of Arno’s presentation “Flash Camp Update on Adobe AIR,” so even if you couldn’t attend you can learn about those features yourself. The video’s fairly long and the new stuff is near the middle/end, so here are the highlights for you to watch for (sadly the video doesn’t have time markers so I can’t give exact times):

• He starts the demo a little past the half-way point of the presentation.

• He shows an app that detects when a drive is mounted/unmounted by listening for the new StorageVolumeChangeEvent.STORAGE_VOLUME_MOUNT and STORAGE_VOLUME_UNMOUNT events. He plugs a USB thumb drive into his computer and, sure enough, the new drive appears in the FileSystemDataGrid in his app.

  

• Next he shows a change to the AIR installation process that’s coming in the “Squirter” release, which is a dot release coming out “probably late this summer” according to the video. The change is specifically to the warning dialog that’s displayed when a user installs an AIR app that’s signed by a trusted security certificate.

  Here’s the new version that he showed:

  

  For reference, here’s an example of the current warning dialog. The highlighted items are the parts that are removed in the new dialog. It also looks like the “Install” and “Cancel” buttons have switched places for some reason, and some white space has been tightened up. Other than that the new dialog is the same (as far as I can tell):

  

Update Sept. 18, 2009

A couple of other new features have been mentioned publicly since I posted this:

• In an AIR forum post, product manager Rob Christensen mentioned that the next major version of AIR will “provide an API to allow you to open documents” in their default applications. (The examples discussed in the post are opening Word or Excel files in their respective applications.) The code for this feature actually appears in the sample Arno showed at Flash Camp — he just didn’t point it out (look right above his head):

  

• AIR principal scientist Oliver Goldman mentioned in a blog post that in his MAX 2009 talk he will be talking about “the new deployment options that will be available in Adobe AIR 2, including the native installer support required to use some of the advanced new AIR 2 APIs.”
• And of course, Oliver’s quote also makes it explicit that the next major release of AIR is called “AIR 2.” In case that wasn’t so likely as to be obvious.

Update Sept. 22, 2009

Another update: In his Flash on the Beach 2009 presentation “Advanced Desktop Development with Adobe AIR” Mike Chambers described the following feature (on page 20 of his slides):

NativeProcess API

• New API in AIR 2.0
• Can call and communicate with external applications
• Requires application be distributed as native installer (no AIR files)
• Cannot execute applications within application directory
• Must add “extendedDesktop” to support profiles

Update Sept. 25, 2009

At a Flash users’ group meeting in Paris, Mike Chambers announced and demoed “the new raw microphone access feature coming in AIR 2.0.” Source and video: Lee Brimelow

Adobe AIR data privacy and security slides, notes, and links (1 MB .zip)

As a side note for those who actually attended the presentation, in retrospect I think I over-emphasized the security concerns and didn’t emphasize enough that there are plenty of use cases for which AIR is definitely secure — especially in the case where you need to keep the user’s private data secure. Hopefully the notes that accompany the slides help to clarify this somewhat.

I also used and referred to a number of resources in my presentation, which are listed below. The download .zip with the slides also includes an html page with all these links.

Introduction

• "Maintaining security with Adobe AIR" by Ethan Malasky and Peleus Uhley (Adobe MAX 2008)

Background

• "AIR security" (Adobe AIR documentation)
• "Why Adobe AIR Doesn’t (Yet) Include the Feature You Most Want" by Oliver Goldman
• "Understanding the Flash Player Security Model" by Deneb Meketa (Adobe MAX 2008)
• "Considerations for using encryption with a database" (Adobe AIR documentation)
• "Using digital rights management" (Adobe AIR documentation)
• Operating system security (user and "admin" rights)
  • "What are Adminstrative Rights, Anyway?" by Oliver Goldman
  • "Does Installing an AIR Application Require Admin Rights?" by Oliver Goldman
• Source code visibility
  • Action Script Viewer (ASV)
  • "Ethical SWF Decompiling" by Lee Brimelow
  • Nitro-LM
• Encryption: ActionScript crypto libraries:
  • as3crypto
  • OpenSSL (partially) cross-compiled to ActionScript using Alchemy

AIR application installation

• Sign your app with a trusted cert
  • "Code Signing in Adobe AIR" by Oliver Goldman
  • "Digitally signing Adobe AIR applications" by Todd Prekaski
  • Promotion: get a free signing certificate (while supplies last) by submitting your app to the Adobe AIR marketplace
• Plan for updates
  • "Building AIR applications that can be easily updated" by David Deraedt
  • "Using the Adobe AIR update framework" Quick Start article by Jeff Swartz (Adobe AIR documentation)

Modular applications

• Sandbox bridge
  • "Scripting between content in different domains" (Adobe AIR documentation)
• XML signature validation
  • "Creating and validating XML signatures" by Joe Ward
  • "Using the XML signature validation classes" (Adobe AIR documentation)
  • "flash.security package" reference (Adobe AIR documentation)

Local shared objects

[No links]

Encrypted Local Store

• "Storing encrypted data" (Adobe AIR documentation)
• "EncryptedLocalStore class" reference (Adobe AIR documentation)

Local files

[No links]

Local SQL database (SQLite)

• SQL injection attack
  • "Using parameters in statements" (Adobe AIR documentation)
  • "SQLStatement.parameters property" reference (Adobe AIR documentation)
• Encrypted database
  • "Using encryption with SQL databases" (Adobe AIR documentation)
  • "Using the EncryptionKeyGenerator class to obtain a secure encryption key" (Adobe AIR documentation)
  • as3corelib project (includes the EncryptionKeyGenerator class and hashing algorithms