This content has been marked as final. Show 2 replies
Yes, that's right. AIR applications are desktop applications, and the same thing can be done to other desktop applications, too. The code signing feature protects primarily distribution and installation.
Note that even if the signature was validated when the application was run, that wouldn't protect your web services. The web services can always be accessed from other applications that you didn't create.
Oliver Goldman | Adobe AIR Engineering
The problem is that code injection provides an easy avenue for a hacker to piggy back new calls to the web service in the middle of execution of the application in a privileged portion of the application where security mechanisms have already granted access to the application but before that access has been revoked. Being that all AIR code is executed within the AIR Runtime it would have been beneficial to developers to have the runtime ensure that code has not been tampered with as it is loaded into the Runtime environment. In a native desktop application there are more capabilities that developers can call upon to help ensure the integrity of their application. The AIR runtime does expose some features that might enable developers to implement their own tamper checks but it certainly will not be trivial nor performant to do so.