For Flex developers, moving from web apps to desktop apps brings a new set of data privacy and security concerns that you didn't have to think about before. Examples include storing private data safely, communicating securely with remote data stores, and generally understanding the security limits of AIR applications. In this session, we will discuss the security issues to look out for, the tools and techniques available in AIR for solving those issues, and what the limits and areas of concern are. All will be covered in a way that's understandable for normal coders -- no Ph.D. in cryptography required.
2. My background:
I worked for several years as a web application developer (server side as well
as UI). I studied the types of security techniques that are important for that
domain. However, once I started working in AIR I learned that there is another
set of potential concerns, and another set of solutions to learn.
In
I particular, I was working on the documentation f the encrypted d t b
ti l ki th d t ti for th t d database
functionality that was added in AIR 1.5 and I found myself questioning a lot of
my previous assumptions about how to keep data secure and even what it
means for an application to be âsecure.â That led to conversations with
engineers from the AIR and Adobe secure software teamsâŠwhich led me to
this presentation, as a way to compile the things I had learned and share them
with others.
others
2
3. Since I work on the AIR documentation team, I know that my colleagues and I
donât intentionally âkeep secrets.â As much as time permits, we try to put the
best information we can in the documentation.
Because of this, most of what Iâm going to tell you is available in the
documentation (or will be the next time we release an update).
In dditi
I addition, one resource that was particularly valuable t me i preparing thi
th t ti l l l bl to in i this
presentation is Ethan Malasky and Peleus Uhleyâs MAX 2008 session â
3
5. Flash Player has a different security model, based on the idea of security
sandboxes. (This model is common among web browsers and browser plug-
ins.)
The idea of security sandboxes is that any executable code that comes from a
network source runs within its own security sandbox. The code canât access
information about the userâs computer It also canât access code or data from
user s computer. can t
remote sources other than its own sandbox.
(Examples: accessing local files; full-screen mode restrictions (user-triggered
and esc); cross-domain policy)
This is very important. When you click on a link or type in a url you donât know
what youâre going to come across. It should not be possible for code from a
web site to cause damage to your computer or access private data without
your explicit consent.
5
6. AIR design philosophy:
AIR apps, on the other hand, are different from web pages in a browser. In order to
run an AIR app, you must explicitly opt in by choosing to install the application.
Consequently, AIR apps are able to perform lots of actions that arenât available to
Flash Player, browsers, etc. For example, any AIR app can delete every file from your
hard drive (at least, every file that you have access to). (Note that this is no different
than any other executable application that a user can install on his/her computer.)
The AIR runtime isnât intentionally designed to be âinsecure.â However, end-user
security is not generally a reason that particular functionality is excluded from AIR. As
Oliver Goldman, lead engineer for Adobe AIR states on his blog:
âAIR applications are desktop applications and can already do dangerous things. It
doesn't make sense for us to limit new features that aren't any more dangerous. We
do design features to default to safe behaviors but we don't reject features just
behaviors, don t
because they might be dangerous.â
There are exceptions to the rule that content executing in AIR has full system access.
A general way of describing the exceptions is that when AIR is functioning like a
browser, it behaves like a browser â the content is sandboxed like browser content.
(examples: SWF-in-HTML; remote or non-application content)
SWF in HTML; non application
Iâll discuss this in more detail later in the presentation.
6
7. âPrivacy is overratedâ
Thatâs probably overstating things a bit =)
However, itâs definitely true that not every application needs the utmost level of
privacy and security for the content it creates/manipulates/stores.
(examples: Photoshop; MS Word/Excel)
Whenever youâre designing an application, you need to carefully consider the
goals and uses of your application in deciding how much and what kind of data
privacy you need to provide.
7
8. An important step in deciding what level of privacy your application needs is
figuring out who should, and more importantly who shouldnât, have access to
the data. The answer to those questions defines what âdata privacy and
securityâ actually means for your application.
One category that I didnât think much about at first was keeping data private
from the end users themselves After all if they own the app they own the
themselves. all, app,
data, right? Not alwaysâŠ
(example: Video rental app)
This category is where AIRâs security measures are weakest. In all other cases
the end user is motivated to support the goal of keeping data private, or at
least has no interest either way. But in this case, the user has a motivation to
break the
b k th security of th application and may actively use attack t h i
it f the li ti d ti l tt k techniques t to
do so.
8
9. These are the most common ways that attackers try to obtain private data or
cause damage to the userâs system. This list is intentionally broad at this point
â later weâll talk about more specific ways that these attacks are carried out.
9
10. An AIR application executes with the access permissions and privileges of the
user who runs the app. If the user has permission to read data from a certain
folder, the AIR app can read data from that folder. Likewise, if an AIR app
writes private data into a location where only the user has access (such as
their âdocumentsâ or âapplication storageâ directories) then other users who
donât have access to those areas wonât be able to access that data.
However, this protection is fairly limited. It protects against other users who
donât have access to the files, but doesnât protect against âadminâ users and
doesnât protect against malicious apps that are running with the userâs
permissions.
The f ld
Th folder names f application storage di t i l k random at fi t
for li ti t directories look d t first
glance. Practically speaking, however, the application storage directory is not
obfuscated in any meaningful way. Other AIR apps, or any other app, could
enumerate folder and file names easily enough.
10
11. A .air file is just a zip file â you can change the extension to .zip and open it
using any ZIP file extractor.
Once the AIR application is installed, the unzipped source code is placed in
the application directory. For HTML/JS applications, this means the HTML and
JavaScript files. For a Flex- or Flash-based AIR app, this means the SWF file,
which can be easily decompiled
decompiled.
Demo decompiling a SWF
11
13. When a user downloads an AIR application from the Internet, the user has to
make a decision as to whether to install the application. This is essentially a
decision of trust â do they trust that the .air file comes from who they think it
comes from, and do they trust that person or company.
To assist the user in making a trust decision, the AIR runtime requires all AIR
apps to be signed with a code-signing certificate. This potentially provides two
forms of reassurance to the useruser.
1. The AIR runtime validates the content of the .air file to ensure that the bits
havenât been altered since the application was signed. That way, the user
can trust that the application hasnât been modified by some third party.
However, a malicious entity could just as easily take an app, modify its
contents, and re-sign it with another certificate. In that case, the app would
still pass the validation step.
2. The signed app can also be signed with a certificate issued by a
recognized certificate authority. If the computer recognizes the CA as a
trusted entity, the computer trusts the certificate that the app was signed
with and consequently shows the name of the entity that owns the
certificate in the installer. This guarantees that the specified company in
fact is the source of the application. However, it doesnât make any
judgement about whether that company is in fact trustworthy. For that the
trustworthy that,
user needs to rely on their own knowledge of the company and whether
they can be trusted.
13
14. AIR includes an easy and useful update framework, as well as more flexible
approaches. If you add the few lines of code it takes to support updates in your
app, then your users will pull down updates as soon as you make them
available.
If you donât, then when you discover a bug or security issue, youâll have to rely
on users manually downloading and installing the update
update.
14
16. The way Internet addressing works, itâs like a mailman wearing a blindfold who
knocks on each door, hands the person all the mail, asks them to take their
own and hand back the rest (without checking whether theyâve read it before
handing it back).
Luckily the solution is easy â just use SSL or TLS between the client and
server.
server Because AIR uses the computerâs networking stack it supports this
computer s stack,
automatically.
16
17. One great thing about REST-based web services is that theyâre easy to test.
You can just type the URL in a web browser and see the XML (or whatever)
response directly in the browser window.
Unfortunately, this means that anyone who can find out the URL of your web
service (e.g. by decompiling your SWF) can access your server and perform
any operation that your app can. To prevent this require authentication on the
can this,
server, and make sure that the username/password arenât hard-coded in the
app but instead are input by the user.
Again, AIR uses the OS network stack (including cookie management) to
communicate with servers. Some clever apps incorporate web-based
authentication b di l i th l i web page i an HTML control. Wh th
th ti ti by displaying the login b in t l When the
user logs in a cookie is set and subsequent requests to the server include the
authentication cookie in their requests.
17
18. If youâve read this far, you should probably just come to the session on
Wednesday at 1:00 pm. =)
If you canât make it to the session (or youâre reading this after the conference),
check my web site for the complete slides, notes, links, etc.:
http://probertson.com/
18