Adobe Flash: Insecure, outdated, and here to stay

Given its lax security and incompatibility with mobile, Flash should be gone -- but it lingers for reasons that are tough to get past

With all the head-shaking over Windows XP, aka The OS That Refused to Die, let's also spare a thought for The Plug-in That Refuses to Die: Adobe Flash.

If Flash deserves to perish, it's mainly because it's an insecure mess. New exploits for Flash show up routinely. Enterprises, which often lag in applying updates, regularly run outdated versions of Flash. Back in 2011, Adobe admitted Flash is a developmental dead end, especially for mobile -- yet Flash continues to stick around.

At least the general trend for Flash usage is downward. BuiltWith.com has tracked a steady decline in Flash usage over the past year, and HTTPArchive.org's stats since 2012 show the total percentage of Flash sites is on the wane.

So why, despite its insecurity and other problems, does Flash continue to linger like a bad cold?

The short answer: It's no one thing. Rather, Flash has burrowed into a slew of niches, each of which has allowed it to stay alive for a given target audience. Sometimes that audience is narrow or increasingly endangered, but it attracts an audience all the same.

Video delivery. Even if YouTube were alone in using Flash, the site by itself might be excuse enough to keep Flash alive indefinitely. One big advantage Flash still has over HTML5 is consistent support for a single video format, H.264, which obviates the need to serve different versions of video files based on the browser in use.

In theory, it isn't difficult to change over a Flash-based player to an HTML5-based option; in fact, Google's Swiffy tool converts Flash SWF files to HTML5. But while YouTube has been switching its users over to an HTML5-based player -- Chrome all but guarantees the user will go with HTML5 -- Flash remains a fallback. (Launching YouTube in the latest edition of Firefox, for instance, invokes the Flash player.) Outside of YouTube, free Flash-based HTML players are common on sites that self-host video.

Advertising. Annoying Flash-based banner ads are nobody's idea of fun -- except, maybe, an ad merchant's -- but Flash ads are a fixture of Web life. After all, Flash makes it easy to create animated or video-streaming ads that unmute when you hover over them; additionally, ad creators and ad rotation networks have come to rely on Flash as a standard. For example, clicktracking, so important for ads, is easy in Flash. Though an industry shift to HTML5 for ads is under way, it's been slow going -- expect Flash ads to continue annoying us for a long time to come.

Gaming. Flash has long been one of the go-to environments for beginning game design. It gives you quick results, is universally deployable, and comes outfitted with its own widely used programming language. Again, HTML5 has made major inroads here, especially in mobile.

But the weight of the existing, legacy development and deployment material available for Flash, as well as the overall backward compatibility, stability, and predictability of Flash (which can't be said for HTML5's shifting sands and browser-dependent implementation), keep it important in this space.

Legacy Web app UI widgets. Many Web application UIs feature Flash widgets here and there for the sake of some function that would previously have been difficult to deliver in HTML -- such as the graphical statistics dashboard for the Movable Type CMS. Most of these remain in use because of the legacy installed base for such applications, which rev very rarely (à la Flash itself or even Java).

I've mentioned how each of these can be eclipsed in some way by HTML5 over time, and the wheel is turning. But the snail's pace of both enterprise adoption and change within the verticals where it's become a de facto standard all but guarantees Flash is going to stick around in the same manner as browser-side Java -- or, for that matter, Windows XP.

This article, "Adobe Flash: Insecure, outdated, and here to stay," was originally published at InfoWorld.com. Get the first word on what the important tech news really means with the InfoWorld Tech Watch blog. For the latest business technology news, follow InfoWorld.com on Twitter.

Mobile Security Insider: iOS vs. Android vs. BlackBerry vs. Windows Phone
Join the discussion
Be the first to comment on this article. Our Commenting Policies