Fearmongering and FUD about Adobe AIR

by Jason on

Lots of people (1,2 and many others) are trumpeting the idea that Adobe AIR is somehow not secure when compared to other deployable applications. I think it’s time we laid this one to rest. Adobe has done absolutely nothing to assure end users and in fact, by their ridiculous “badge” installer warnings, they have made this worse.

Nothing that you download and install on your computer can be considered “Secure”. If a user installs a program they are providing a level of trust to that application. If anything, Adobe is providing a level of warning above and beyond that of a typical .Net or java executeable. (At least it’s a requirement that AIR applications be signed to be deployable).

Lets compare a .NET executable on your system vs an Adobe AIR executable (windows used as an example).

.Net (VB / C# etc)

  • Warnings on “security” within the installer – Little to none depending on installer used
  • Must use a certificate – No (Of course it can and should)
  • Has Registry access – Yes
  • Can silently install other applications – Yes
  • Can silently install BHOs and malicious software – Yes
  • Can add itself to startup – Yes
  • Can monitor network activity – Yes
  • Can sniff network activity – Yes
  • Can affect device drivers – Yes
  • Has complete system access – Yes (If running from an Admin user)
Adobe AIR

  • Warnings on “security” within the installer – Ridiculous over the top warnings are the norm
  • Must use a certificate – Yes (Self Signed certs are avail, but will display as “Unknown” publisher)
  • Has Registry access – No (Not without significant hacks like the Java bridge)
  • Can silently install other applications – No (It can’t even install other AIR apps w/o user interaction)
  • Can silently install BHOs and malicious software – No (AIR in theory could deploy into a directory but could not load into the reg)
  • Can add itself to startup – Yes (However, startup appears in user’s “Startup” Program Files menu)
  • Can monitor network activity – Yes (included class only monitors whether connection is present or not)
  • Can sniff network activity – No
  • Can affect device drivers – No
  • Has complete system access – No (However like almost all executeables it has access to the same areas of the filesystem that the “run as” user has)
RIA platforms are no more “dangerous” than any other platform. In fact Adobe has gone above and beyond (in my opinion hampering creativity and developer happiness) to ensure that AIR applications are at least crippled when it comes to their ability to deploy malicious payloads.

I do believe AIR could be used as a bit of a trojan to deliver malicious exe’s that are bundled in the AIR installer file. That said, that’s hardly a “security” flaw w/ AIR as that same “flaw” is built into the nature of software packaging.

Fear… Uncertaintainty… Doubt, thy name is Adobe AIR.