3 Replies Latest reply on Jun 30, 2011 7:36 PM by Joe ... Ward

    Import Remote Plugin / Module into AIR application

    greengnu Level 1

      Hello!

       

      I want to run remote code in my AIR application within the same security sandbox. I found this article http://blogs.adobe.com/emalasky/2008/04/remote_plugins.html which describes quite shallow how to do it:

       

       

      So to pull this content in safely, you need to prove that you can trust it. Given the ease of remote attacks (DNS hacks; man-in-the-middle attacks; owning up the “trusted” server; etc), imported modules must be signed, and the signature must be verified before loading the content.

      1. First, sign your modules. I’m pretty sure you can just use adt for this, then rip the signatures.xml out of META-INF. Then post the modules and signatures.xml

      2. When you download the modules, save them and signatures.xml somewhere in app-storage:/

      3. Use the XMLSignatureValidator class to validate that you downloaded modules that really were signed by you (or some known entity).

      4. Import the modules into your application sandbox. For SWF, use Loader.loadBytes(), pass a LoaderContext with allowLoadBytesCodeExecution=true. I doubt anyone will do *that* by accident.

         

       

       

      My questions:

       

      1.: is this still the way to go in AIR 2.7?

      2.: The explanation is very shallow.. could someone explian a bit more indepth how to do this and what steps are required? Or maybe someone knows a good tutorial?

       

      Thanks!

        • 1. Re: Import Remote Plugin / Module into AIR application
          Joe ... Ward Level 4

          Yes, the same thing applies in AIR 2.7. I think Flex has added some support for modules since Ethan's blog post was written, but I don't believe that support includes security for remote code.

           

          I wrote an article covering the signature and validation aspects of the problem: http://www.adobe.com/devnet/air/flash/quickstart/articles/xml_signatures.html (which is also linked to from the comments on Ethan's blog, so you might have already seen it).

          1 person found this helpful
          • 2. Re: Import Remote Plugin / Module into AIR application
            greengnu Level 1

            Hello!

             

            Thank you for that great article!

             

            Based on this and your code example I added the signature checking to my application in the following way. Could you please tell me whether this is correct and secure?

             

             

            1.

            I load the signatures.xml from the remote update package aswell as the signatures.xml from "app:/META-INF/signatures.xml" (signature file from locally installed air file).

            Then i continue to process the file only if (remoteXmlSig..signatureNS::X509Certificate == localXmlSig..signatureNS::X509Certificate) since I only want to allow plugins that were signed with the same certificate as the installed air application.

             

            2. I run your validation code but with

             

            verifier.useSystemTrustStore = false;

             

            3.

             

            in the "verifyManifest" function I add every file that was successfully validated into an array

             

            4.

             

            in the end I use only the files within this array to update my application.

             

             

             

            Is that correct?

             

            Thank you!

            • 3. Re: Import Remote Plugin / Module into AIR application
              Joe ... Ward Level 4

              That sounds right. Of course the only way to be reasonably sure it works is to test it!