1 Reply Latest reply on Apr 22, 2009 10:23 AM by Joe ... Ward

    Install Warnings on Mac OS X

      I'd like to install an AIR application on my MacBook, but I get a dire warning panel when doing so:

       

      Picture 2.jpg

      Is it safe to proceed in the face of this warning?  Is this behavior unique to Mac OS X or to Safari?

      The panel comes up on any application install and I assume it comes from AIR itself.

       

      Your help appreciated.

        • 1. Re: Install Warnings on Mac OS X
          Joe ... Ward Level 4

          This is the standard installation dialog for an AIR application that is not signed by a verifiable certificate. This is the same dialog that would appear on Windows or Linux.

           

          Since an AIR application has full access to the file system, and can read, write, or delete files, or send such information over the internet -- just like any full-privileged desktop application -- you should be just as wary about installing an AIR application as you would about installing any other desktop application.

           

          The things to consider here are:

          1. Do you know who the publisher is -- and do you trust them?

          2. Does this AIR install file actually come from that publisher?

           

          If the publisher is listed as "UNKNOWN" that means that the developer signed the application with a code signing certificate that they themselves created. If you recieved the AIR file directly from the publisher via secure means (such as an HTTPS connection), then, assuming you trust the publisher, it is probably fine to install it. However, if you downloaded the AIR file through some other means, there is a possibility (small, but not negligible) that what you have is not the AIR file that was created by the publisher. When the developer chooses to save money by not buying a verifiable certificate from a reputable certificate authority, it is possible for a malicious entity to create a forgery of their application. There is no way for AIR to determine whether this AIR app came from the actual publisher -- you will have to do that yourself.

           

          I would encourage the publisher to get a commercial code signing certificate. If every user of a popular application like TweetDeck donated, say, a nickle or dime, the developer's costs would be covered -- and the users would be safer.