Tuesday, April 6, 2010

OWASP AIR + Flash Security Projects

I saw this response to a question on the OWASP-Leaders mailing list and I thought that the information was worth re-posting.
- Jim Manico
***
The OWASP AIR Security Project http://www.owasp.org/index.php/Category:OWASP_AIR_Security_Project and the OWASP Flash Security Project
http://www.owasp.org/index.php/Category:OWASP_Flash_Security_Project are useful resources for developers who want to create secure AIR applications. If desktop administrators have questions regarding AIR, Adobe provides resources at: http://www.adobe.com/products/air/it_administrators/.

With regards to file access, desktop applications based on the AIR runtime follow the same security model as any other desktop application. The application will inherit the privileges of the user who launched it and the application will be able to access any file or resource that the user has permission to access. You are trusting the author of the desktop application not to misuse their privileges which is why all AIR applications must be digitally signed by the author.

Although, sometimes trustworthy authors make mistakes during development that could allow unauthorized access of local files or resources by untrusted content. To help reduce those types of vulnerabilities, the AIR runtime restricts sensitive APIs and implements secure defaults. As an example, any content that was not contained within the signed install package is considered to be untrusted and it is placed in a restricted sandbox by default. If the developer wants to grant the restricted content additional privileges, then the runtime provides APIs where developers can specifically choose what functionality or data is exposed. Therefore, file access is never granted to remote content by default and the developer can selectively choose what, if any, files or data are exposed.

Let me know if you have any further questions.

------------
Senior Security Researcher
Adobe Systems, Inc.

No comments: