SECURITY WARNING: be careful when you install Adobe AIR applications
I’ve been building applications for Adobe AIR since its very first public alpha and I totally love it, its a brilliant platform that opens up several unexplored possibilities by allowing web developers to extend the reach of their applications to their users’ desktops. One aspect of AIR applications that is not talked about enough though is Security.
AIR applications are installed on your desktop and have access to your file system and the Internet at the same time, and this can be a dangerous combo. There are several measures taken by the AIR runtime to ensure the security of your information, you can read more about them here, but all in all, just like any other desktop application, you are trusting the creator of the AIR application to be true to his word and not do bad things with your data ….
I establish this trust based on the public reputation of the developer/company who created the application. If the developer/company is well respected in the online world, then its generally safe to install his/its application .. it will be incredibly stupid for a reputed developer/company to do sneaky things because some smart developer could easily catch them in the act.
Another key factor in trusting an AIR application, is knowing for sure that it was actually made by the developer/company I think it was made by .. the AIR platform facilitates this by allowing developers to sign their .air files with security certificates purchased from reputed companies like Thwate and Verisign. The AIR documentation describes this as follows ..
When an AIR file is signed, a digital signature is included in the installation file. The signature includes a digest of the package, which is used to verify that the AIR file has not been altered since it was signed, and it includes information about the signing certificate, which is used to verify the publisher identity.
So if the .air file is not signed, there is no guarantee that it was not tampered with and actually comes from the developer/company you think it came from. What’s worrisome though, is that not a lot of users seem to be aware of this or care about it .. also not a lot of developers are signing their applications.
Lets take the example of the probably the most popular AIR application there is … Twhirl, the twitter client. The guys at Twhirl yesterday announced a new version that integrates Identi.ca and allows you to use Identi.ca via twhirl. The cool part, is that twhirl uses Identi.ca ’s XMPP infrastructure to integrate with it allowing Identi.ca to push updates to twhirl, instead of twhirl having to to poll for updates periodically, the way it does for twitter. There are some things to note here though … quoting the CNET announcement …
Identi.ca doesn’t do the pushing itself. Instead, Identi.ca sends its updates to Google Talk, a Jabber-based IM platform that supports the open XMPP standard for instant messaging; and it’s those XMPP messages that get pushed out to the Twhirl desktop clients installed on users’ computers.
The two-step requires users have two logins: One for Identi.ca, and one for Gtalk, and that they enter them into both Identi.ca and Twhirl.
Hmmm, so I have to give my Google login details to Twhirl for it to work with my Identi.ca account, now given that Twhirl is owned by Seesmic, is supported by guys like Loic Le Meur and is constantly scrutinized in the public domain… if I feel the need (I don’t with Identi.ca) I can trust Twhirl with that information, the same way I trust Adium with my google account info. That’s the first step of establishing my trust in Twhirl, the second step is ensuring that .air file I downloaded from twhirl.org actually came form there i.e. there was no man in the middle serving me a .air file that looks and feels exactly like twhirl and does all the things twhirl does but at the same time sends my Google account info to a server somewhere, that stores and later uses this info to do all sorts of unimaginable bad things .. how do I ensure this? Is the .air file signed by Twhirl?
OMG !! NO !! … sorry twhirl I cannot trust you with my google account info.
I’m not saying that twhirl’s servers are being attacked in this way, but there is a possibility that they could be, so developers please sign you AIR applications so that I can easily trust them and users please take utmost care when installing AIR applications, only install applications that you can trust.
July 21st, 2008
@djseesmic – Recommend to sign the Twhirl application for security. See also http://bit.ly/2GuhGS
July 21st, 2008
Good blog post Mrinal — in my view this is not really an AIR issue though.
We all run desktop applications every day and rarely think about the possible harm they can do. AIR is similar in that respect, and Adobe has made it pretty clear that you need to make sure you trust the publisher and promoted getting a certificate to sign your applications.
You get the warning message in the install wizard and make a choice there. Rather than saying “security warning be careful when installing AIR apps” it might be more appropriate to say something like “the importance of signing AIR applications”.
It almost makes it sound like AIR has security issues whereas its very open about any possible risks as opposed to regular desktop apps that many people download and install without giving it a second thought.
You definitely have a point about Twhirl and am surprised they didn’t get a certificate for their app yet. I am getting increasingly nervous about spreading out my difference account details in various web 2.0 applications and social networks.
Perhaps OpenID can help provide an answer for this problem, I for one would like to see it take off.
July 21st, 2008
Be careful installing AIR Apps – worth the read: http://tinyurl.com/57yz74
July 21st, 2008
one of the very first things i tried was writing an app that iterates through a folder and deletes the contents. took me all of three minutes.
That type of maliciousness can also be done in .net or java. The onus is on the user to put some level of thought into the apps they install.
Same goes for web apps that ask for your username and password to scrub your contacts. People blindly give it up. I don’t get it. You wouldn’t give a stranger the keys to your house.
I think one of the biggest reasons this issue about AIR security has even come up is that they *are* making the user aware that the app will have system access. It’s not that apps written in other languages can’t do that, they just aren’t telling the user.
July 21st, 2008
There’s more than just one thing wrong with the implementation. The application itself is not signed – which, as you point out should be cause of concern. At the same time, the growing number of websites/applications asking users to enter their login/pass for other domains should be discouraged. It directly encourages users to be ok with sharing their access information at domains which are not directly associated with such information. This pattern in general should be discouraged ..
July 21st, 2008
http://weblog.mrinalwadhwa.com/2008/07/21/security-warning-be-careful-when-you-install-adobe-air-applications/
July 21st, 2008
SECURITY WARNING: be careful when you install Adobe AIR applications (yes, I’m posting this from Twhirl, an AIR app)… http://is.gd/Z5z
July 21st, 2008
Peter,
Glad you like the post and as you said the issue is certainly not with AIR here, in fact since AIR is more controlled it is actually more secure when compared to other desktop environments .. I did not realize that the title of the post conveys a problem with AIR as a platform, I was actually trying to take special care not to start any such misconception.
Why the title reads what it reads is because users seem to be exceptionally careless with AIR .. I feel that users are not paranoid enough about AIR apps the way they are about desktop apps in general, being paranoid and over cautious about anything you install on your desktop (AIR or otherwise) is very important and helping users understand that was my intention behind this post.
I also wanted to stress to developers that its is imperative that you get your apps signed. The fact that twhirl is installed on thousands of systems without being signed is worrisome and encourages other developers to take the same route.
I totally support OpenID too, although over a recent discussion with Navjot (who also commented above) I realized that has its short comings too and needs to be worked upon before it becomes a standard.
Mrinal
July 21st, 2008
@Brandon, I totally agree man .. the guys at Adobe have gone great length to ensure that AIR users understand the risks that they are taking .. but I feel we have to spread awareness among both users and developers so that all applications are signed .. I hope this happens before we see a major indecent that cashes in on this ignorance and carelessness of developers/users
July 22nd, 2008
Shouldn’t the title read:
“SECURITY WARNING: be careful when you install ANY applications”
??
If your intent was to encourage developers to obtain certificates and sign their apps, why such a sensationalist title which could be misconstrued?
mike chambers
mesh@adobe.com
July 22nd, 2008
Mike,
“sensationalist” ? .. really?
“SECURITY WARNING: be careful when you install Adobe AIR applications” … is that bad advice? shouldn’t users be careful when installing an AIR app? shouldn’t adobe be telling this to every user who installs an AIR app? oh wait you do exactly that in the warning screen of the installer with the big red X marks … so how is the title of my post sensationalist?
Sure the statement can be said in a more general context of any kind of application, but how does that help anyone? I am interested in AIR as a platform, I was trying to address the fact that many AIR developers are not signing apps and because of the large number of AIR applications released recently users seem to have entered this comfort zone with AIR and don’t bother thinking about what they install … thousands of installations of twhirl is proof of that.
This comfort zone seems great at first to me as an AIR developer and you as adobe .. but what happens when someone exploits this lack of awareness/ignorance .. wouldn’t the platform get a bad name then?
Mrinal
July 22nd, 2008
>I was trying to address the fact that many AIR developers are not signing apps
Then why not a title that reflects that?
The current title (with SECURITY WARNING) suggests that installing an AIR application is particularly dangerous, when it fact, it is as secure, if not more secure than installing a desktop application.
For example, I found the article, by seeing someone twitter:
–
SECURITY WARNING: be careful when you install Adobe AIR applications (yes, I’m posting this from Twhirl, an AIR app)… http://is.gd/Z5z
–
If I don’t know much about AIR, that sure looks like some big security hole has been found.
mike chambers
mesh@adobe.com
July 22nd, 2008
>Then why not a title that reflects that?
I stated two reasons for the post … “I was trying to address the fact that many AIR developers are not signing apps and because of the large number of AIR applications released recently users seem to have entered this comfort zone with AIR and don’t bother thinking about what they install … thousands of installations of twhirl is proof of that.”
The title addresses the second point i.e it “warns” users and advises to “be careful” and not trust unsigned AIR apps and be cautious of what they install. This warning is important and relevant because given the install numbers and popularity of unsigned AIR apps like twhirl we know that users are not paying much attention to this and maybe trust AIR too much and are not aware that these apps can be as dangerous as other desktop apps
The word “warning” is not suggestive of a problem or a “hole” as you put it, its advice to users to be warned and be careful, I hope you agree they should be .. I do see how someone could misinterpret that one word in the title, but then there is a 700+ word post explaining the title.
Mrinal
July 22nd, 2008
@Mrinal, it’s obvious that you disagree but I have to agree with Mike on this one. To the average user seeing your headline, I think their first thought would be that there’s something inherently insecure about AIR apps (compared to other desktop apps), for example, a newly discovered security hole. I’ve read your comments and I understand your reasoning but that doesn’t alter the fact that headlines like this are commonly used in the context of highlighting a critical software vulnerability and so, whether you like it or not, that’s the impression your casual audience are going to get. In that sense, it is sensaltionalist. I mean, the capitalised “SECURITY WARNING”?!? Gee, that seems to me like it must be really urgent. It looks to me like the only post you have written with big, screaming capitals (acronyms excepted). How about the alternative headline, “Adobe AIR: A better security model than most desktop apps but still exercise caution when installing”
Oh well, you got me reading your blog…
July 22nd, 2008
@Darren I realize that the title can be misinterpreted by someone who is just skimming through although that was never my intention, which I think is clear from the content of the post .. so calling me a sensationalist just feels a little harsh
July 22nd, 2008
Hmmm, so I have to give my Google login details to Twhirl for it to work with my Identi.ca account… http://snipurl.com/32vml
July 22nd, 2008
omg. Sensationalistic? I don’t think so. If this were a sensationalistic post, there would be some idiotic mention of AIR vs. Silverlight.
July 22nd, 2008
SECURITY WARNING: be careful when you install Adobe AIR applications http://tinyurl.com/57yz74
July 22nd, 2008
No one said the post was sensationalist. A number of people said the title was.
mike chambers
mesh@adobe.com
July 22nd, 2008
I just want to clarify my comments on this, because they seem to have been misconstrued.
I think that the title was misleading. However, I agree with the actual post.
-End users should be careful when they install desktop applications.
-Developers should sign their application with a cert from a known and trusted authority.
-End users should be careful about giving apps user / pass for services.
This last item is really up to the service provides, who need to provide auth other than http auth. For example, FriendFeed and Flickr handle this in a way that doesn’t require the user to give their auth info directly to the app. It is more work for the developer to implement, but ultimately safer for the end user.
mike chambers
mesh@adobe.com
July 22nd, 2008
In fairness, caution with AIR apps is almost more warranted.
While code-signing in desktop applications is underused (available, but underused!), most desktop applications do not install automatically out of a browser as AIR applications can. And in my experience (having dealt with only partially tech-literate relatives!), people are more likely to blindly click ‘ok’ on things that pop up out of a browser than on a desktop. Only marginally so, but still.
And yes, really, we need better methods for handling authentication without having to trust the secret details to a third-party.
July 23rd, 2008
Hi Mrinal, thank you that is a good point that you are raising and I have addressed it with Marco.
We’re not evil you can trust us, but I appreciate your concerns and let me know if I can reassure you in any way.
July 23rd, 2008
Loic,
I totally trust you guys
… the signature will just assure me (and other users) that the air file came directly from you and was not tampered with before it reached me.
Glad you realize the importance of this.
I love twhirl,
Cheers,
Mrinal
July 25th, 2008
Mrinal,
This post is really informative and thanks for sharing your knowledge, and finally i feel that if the Title of this post scares the non-developers, but when we read the post its not that scary , and very informative and developers can gather some basics here.
regards,
kumar.
July 28th, 2008
>I was trying to address the fact that many AIR developers are not signing apps
Don’t you mean that most AIR developers are self signing air apps? I don’t think it is possible to package an app without signing it (atleast by a self-signed certificate)
July 28th, 2008
Raghu,
Thanks for the correction
.. ya its not possible to package an AIR file without at least a self signed certificate.
Although, what good is a self signed certificate … there is no guarantee of identity. In fact the AIR install wizard shouldn’t and doesn’t even show a self signed identity.
Mrinal
July 28th, 2008
Thinking about it a little more.. a self signed certificate does provide a little bit of security in a upgrade scenario … provided, you did not receive a rouge AIR file the first time you installed the app.
July 28th, 2008
[...] source [...]
July 28th, 2008
>Although, what good is a self signed certificate
It does provide some security by ensuring that the AIR file has not been tampered with since it was created.
However, the publisher’s origin cannot be verified or trusted.
mike chambers
mesh@adobe.com
July 28th, 2008
>It does provide some security by ensuring that the AIR file has not been tampered with since it was >created.
Yeah .. although, as I mentioned, that helps only in an upgrade scenario and not otherwise since if someone were to tamper with an AIR file he could also repackage and sign it with a new certificate of his own.
I’m assuming (haven’t tested it) that AIR runtime warns the user if there is a mismatch between the certificates of an old version and a new version during an upgrade .. so a self signed certificate does help in that scenario.
July 29th, 2008
Hope this puts to rest a lot of concerns raised here – http://raghuonflex.wordpress.com/2008/07/29/air_security_for_user/