While the IC’s research organization looks into adding security to cloud environments, in the here and now, intelligence agencies are sharing more data.
The Adobe Integrated Runtime, or AIR for short, has been getting a lot of attention lately — and deservedly so.
Even in its beta form, AIR shows promise, and it successfully blurs the lines between Internet and desktop applications for both developers and end users. AIR is a cross-platform runtime currently available online at the Adobe Labs site (labs.adobe.com/technologies/air). Once the runtime is downloaded and installed under either an Apple Macintosh or Microsoft Windows operating system, applications targeted for deployment on AIR can be installed as native applications on any OS for which AIR is available. (Linux support is reportedly coming soon.)
The prospect of creating a rich, interactive, Internet-enabled app that can run natively on Mac or Windows has already been enticing enough for many large companies to build and release AIR applications. Companies such as eBay, AOL, salesforce.com, Disney, Nickelodeon, Pownce, NASDAQ and others have been working with AIR since its inception. Based on presentations at the recent Adobe MAX conference, end users and developers alike are extremely satisfied with the results. Providing a better user experience, more capabilities than traditional browser-based applications and advanced features such as online/offline data storage and synchronization are all compelling.
These aren’t applications that are launched from the desktop but still run in a Web browser; Windows and Mac OSes recognize AIR applications as native applications.
This means the security sandbox of the browser does not limit AIR apps; they potentially have access to the same resources as a traditional desktop app. This includes native OS windowing tools, so AIR apps look like native Windows and Mac apps unless a developer customizes their look. These apps also interact with the local file system, meaning an AIR app potentially has read/write access to a user’s local hard drive. In short, an AIR app is built using Web development technologies, but it runs as a native app under either Mac OS or Windows. To the operating system, an AIR app is a native application.
Because an AIR app isn’t limited to the capabilities and security of the browser, users have new capabilities created by this particular flavor of rich Internet application (RIA). Being able to interact with the OS enables features previously unavailable to Internet application developers, such as file reading and writing, and drag-drop operations. For instance, you can drag a contact from Outlook onto an AIR app, and this action automatically can add the contact data to an online database. This sort of interaction with local resources would be impossible to achieve with a browser-based app.
Another exciting feature allows online/offline operations. AIR includes an embedded SQLite database, which means AIR apps can interact with a relational database locally when an Internet connection isn’t available. In a demo at the conference, a user started working in an application with an active Internet connection and then unplugged the Ethernet cable from the computer and kept working. The app kept running without so much as a hiccup. When the user plugged the Ethernet cable back into the computer, the app uploaded the local data to the online database. Handling things such as data conflicts takes some planning and programming, but this seamless online/offline operation is impressive.
To the security-conscious systems administrator, AIR capabilities are also a source of great concern. Typically, apps that run in a Web browser have a certain degree of built-in security because Web pages and most other in-browser technologies, such as Flash, Java and Active-X, do not have access to local OS resources. Because AIR apps run as desktop apps and can seamlessly be installed to the desktop from within the browser, they must be treated with the same security concerns as more traditional desktop apps.
The good news is that because AIR apps are native OS applications, they are bound by the same rules as for any other desktop apps. For example, if users do not have administrative rights on their computer and cannot install software, they will not be able to install AIR apps. Similarly, if users do not have rights to a particular file system resource, an AIR app cannot circumvent this restriction. In other words, any permissions that have been configured at the OS level will apply to AIR apps.
Perhaps the best way to address security concerns with these apps would be through education. Users accustomed to downloading things from the Internet simply may not be aware of the capabilities of this new breed of application and the degree to which their local system resources may potentially be accessed, so informing users of the security concerns is vital to safe deployment and use.
If the current crop of AIR apps is any indication, AIR will become an increasingly relevant technology and will offer both developers and end users new possibilities in Internet-enabled apps. The rich, interactive user experience, cross-platform deployment and local resource access are exciting. With a bit of awareness, user education and a healthy dose of security paranoia, AIR apps offer the potential to provide a better experience for end users and new avenues for developers without compromising an organization’s security.