2 Replies Latest reply on Mar 6, 2008 4:34 PM by anemitoff12

    Tampering with installed AIR applications is POSSIBLE

    anemitoff12 Level 1
      I was surprised to discover that my installed AIR package is fully extracted to the installation directory and all of my content files are available for any one to view.

      Worse than that, I thought that one of the benefits of having code signed packages was that the runtime would detect any tampering with the resources in the package not only when the package is first installed (protecting the user) but when the packaged application is launched (protecting the application provider who will probably be connecting the application to their web services).

      But experimentation has proved that the runtime does NOT detect tampering when an application is launched. I adjusted the security privileges on some of the installed content files and then edited some html and javascript files that were part of my package. When I launched the application the runtime happily loaded and executed my altered content.
        • 1. Re: Tampering with installed AIR applications is POSSIBLE
          Oliver Goldman Adobe Employee
          Yes, that's right. AIR applications are desktop applications, and the same thing can be done to other desktop applications, too. The code signing feature protects primarily distribution and installation.

          Note that even if the signature was validated when the application was run, that wouldn't protect your web services. The web services can always be accessed from other applications that you didn't create.

          Oliver Goldman | Adobe AIR Engineering

          • 2. Tampering with installed AIR applications is POSSIBLE
            anemitoff12 Level 1
            The problem is that code injection provides an easy avenue for a hacker to piggy back new calls to the web service in the middle of execution of the application in a privileged portion of the application where security mechanisms have already granted access to the application but before that access has been revoked. Being that all AIR code is executed within the AIR Runtime it would have been beneficial to developers to have the runtime ensure that code has not been tampered with as it is loaded into the Runtime environment. In a native desktop application there are more capabilities that developers can call upon to help ensure the integrity of their application. The AIR runtime does expose some features that might enable developers to implement their own tamper checks but it certainly will not be trivial nor performant to do so.