3 Replies Latest reply on Aug 26, 2009 12:51 PM by Joe ... Ward

    adobe air distribution problem. (AJax / html)

    niroshan_fernandez

      Hi guys,

       

      I have written a sample application in javascript (ajax) and xhtml and successfully published with adobe air. The system works fine but my question is when i distribute the application (.air) I had to include all my javascript , images, xhtml. I dont have any problem in sending the images with .air package but sending javascript files is imposible that is be because, since im using ajax to show all the details I have to use full URL for all my ajax calls.

       

      so someone who knows about abobe air can use those same URL`s and create their own air application and steal my details from my server. (adobe air allow cross scripting)

       

      As a solution I have seen many applications (ex: ebay desktop) uses flash logins and check the login using flash and redirect user to a seperate page if the login is successful. so in this case i only need to package my .swf file since redirection will handdle from the flash end.

       

      Im not a flash developer so I wont be able to create the whole application using flash. thats why im looking for a javascript / html solution to overcome this problem.

       

      so my questions are,

      1. Is there any way i can publish my .air application without packaging js files?

      2. Is there is a posibility which i can use a flash login and if the login success open up a new window with the actual application and close the login window? and while logging off viseversa

       

      I hope you guys undestand my questions and any help highly appreciate it.

       

      Thanks in advanced,

      Best regards,

      niroshan

        • 1. Re: adobe air distribution problem. (AJax / html)
          adobe_paul Adobe Employee

          There isn't any way to distribute an HTML/JS AIR application without the HTML/JavaScript source files. Because JavaScript is a run-time interpreted language, the HTML and JavaScript code has to be available at run time. The obvious downside to this is that the source code of your application is available in plain text on the users' hard drive.

           

          If your main concern is protecting data stored on the server from malicious users, the username/password strategy is probably a good one (and you wouldn't need to implement in using Flash at all -- you could do the same thing in HTML/JS.). What you need to do is:

          • Set up your web server so that the user has to be authenticated with the web server in order to get any data or perform any of the calls (from ajax or anywhere else).
          • When your app first starts or at some point, have a login form where the user enters their username/password for your serve. When you make the ajax calls to the server pass the username/password along (or use a session cookie, or some other similar technique for maintaining authentication).

           

          That way, even if an attacker knows the url of your server calls, they can't actually use them unless they have an account with you.

           

          From a practical standpoint, you should protect your server by requiring authentication in any case. Otherwise your only security defense is the fact that an attacker doesn't know your exact url. But there are ways to learn urls (for example, by monitoring network traffic) that make it so it isn't too hard for someone to discover the urls even without your app's source code.

          • 2. Re: air protect html and js source code
            jshrek

            This probably needs to go under New Feature Requests, but I have no idea where I would do that (anybody know), but here is my thoughts on this anyway...

             

            When an AIR package is compliled, it could (somehow) include all the html and js encoded into the .exe file. It would then (somehow) be able to access all that html and js from within the .exe and would therefore not need source files.

             

            You could then add a new option to ADT like -includesource or -nosource which would let you decide whether to include it or not.

             

            Just my thoughts. Thanks

            • 3. Re: air protect html and js source code
              Joe ... Ward Level 4

              DRM solutions (which is what you are asking for) are difficult and expensive to maintain. Any solution would ultimately be hacked and would have to be patched. I doubt that Adobe would offer this service for free because of the maintenance expense. There are companies selling obfuscation and other such tools. How well they work is up to you to determine.

               

              And, for what its worth, executables can be decompiled and debugged, too (although maybe it takes a more skilled hacker to do it), so the issue isn't unique to JavaScript.