[OpenAjaxMobile] Adobe AIR approach to security

Jon Ferraiolo jferrai at us.ibm.com
Tue Mar 11 17:54:04 PDT 2008



http://labs.adobe.com/wiki/index.php/AIR:HTML_Security_FAQ

This has relevance to our Mobile Device APIs work. What Adobe is doing is
defining two sandboxes that can communicate with each other over a bridge:

* The AIR Application Sandbox - contains logic that was installed on the
local machine. This sandbox can access the AIR device APIs, such as the
file system APIs (pretty much the equivalent functionality as stdio.h).
This sandbox also can access any web url via cross-domain XHR. The big new
security restriction with the latest version of AIR is that dynamically
loaded JavaScript logic is disabled. You can't execute eval() [except for
JSON subset], link to "javascript:", or include a <script> tag within an
innerHTML.

* The AIR Non-application sandbox - Works pretty much like a web browser's
current same-domain policy, although there is an option to enable
cross-domain XHR. (I'm not sure how this option works, but my initial
reaction is worried.)

OK, let's talk about this. IMO, Adobe drew the wrong lines in the security
sand. Instead of restricting JavaScript within the AIR Application Sandbox,
my thinking is that it would be better to tell the user at install time
what local services (e.g., the file system) and specific list of domains
that the application will access, and then the AIR runtime should disallow
any unapproved requests. Furthermore, with regard to the file system, if
the application needs to access the file system, the installer should alert
the user about which areas of the file system it needs to access, and if it
selects a broad area (e.g., My Documents), then the user should be given a
an especially dire warning.

I'm thinking ahead to the Mobile Device APIs discussion. Among the
sensitive information that needs to be taken into account are things like
the address book on the phone, the user's current location, his email
boxes, and his SMS history. (Plus the file system.)

I'm saying this mainly to spur discussion from the security guys, so please
speak up. The Mobile Task Force is listening.

Jon

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://openajax.org/pipermail/mobile/attachments/20080311/e172cb42/attachment.html 


More information about the mobile mailing list