Adobe's rich Internet application toolkit lifts Flash and AJAX out of the browser and onto the desktop; debut release shines with light technical requirements and good features, though security and OS integration could go deeper
Adobe AIR 1.0 brings new hope to Web developers looking to combine the global connectedness of browser-based applications with the persistence and functionality of first-class, local desktop apps.
The results can be spectacular. AIR applications can take on either a custom or native appearance. In particular, data-driven dashboards really sing when freed from browser constraints, as Nasdaq’s Market Replay application demonstrates.
[ See why Tom Yager is a big fan of AIR. And how InfoWorld used AIR technology in its Windows Sentinel service. See our special report on rich Web development tools including reviews of Microsoft Silverlight, Curl, WaveMaker Visual AJAX Studio, JackBe Presto, Nexaweb Enterprise, Backbase, Bindows, Tibco General Interface, and more open source AJAX toolkits than you can shake a div at. ]
The resulting application gains access to OS features such as dragging and dropping to and from the local file system, clipboard access for cutting and pasting between AIR and other applications, network connectivity, encrypted local storage, and perhaps most noteworthy, offline functionality. Thanks to AIR's persistent, local SQLite data store, AIR apps continue to function without a network connection.
Further, AIR doesn't require Web developers to learn anything new. They can easily create AIR apps using the tools and techniques they already know. And because AIR is cross-OS compatible, the same application code can be deployed to Windows, Mac, and eventually Linux systems. An alpha version of AIR for Linux is available at Adobe Labs.
Pieces of AIR
Adobe AIR comprises several components. The SDK is a command line toolkit for packaging and deploying Web applications as AIR apps. It includes a schema template for generating the AIR manifests (which define various properties of each application including name, security certificate, and files included within the package), APIs for the framework, a service monitor, and a command line debugger that lets you do some testing without first needing to package up your app. The entire lot is available for free, and several components are open sourced under the Mozilla Public License.
The underlying application components are packed into an AIR installer file, which is little more than a zip file containing program assets, the XML manifest, and a digital certificate to verify authenticity.
The command line tools are easy enough to work with, and you can use any text editor to create an AIR app. Adobe provides plug-ins for creating AIR applications in Flash CS3 and Dreamweaver CS3, as well as third-party tools such as Aptana Studio. However, I recommend you try Adobe's new commercial development tool, the Flex Builder 3.0 IDE. Based on Eclipse, Flex Builder provides easy graphical tools for laying out GUIs, binding to servers and data sources, and generating the underlying MXML code.
AIR apps can take advantage of protocols including FTP, AMF (ActionScript Messaging Format), JSON, SOAP, and RTMP (Real Time Messaging Protocol for streaming media), and they can communicate with Adobe LiveCycle and BlazeDS servers using server-side RPC and messaging calls.
Clipboard access and drag-and-drop interaction with the file system notwhithstanding, AIR's access to native code libraries and the underlying OS could be deeper. For example, AIR lacks a USB API, and although printing is supported, printing of images is limited to raster renderings versus full vector support.
AIR'sindependence from native libraries provides a cleaner experience, but access to native code could provide not only better performance (particularly for calculation-intensive processes), but also a richer set of pathways to existing code/routines and the ability to launch local apps for specific file types.
Similarly, although security is thoughtfully addressed, it too could go further. First the good news. Local storage is protected by 128-bit encryption. AIR apps can be digitally signed and verified at runtime (via VeriSign or Thawte certificates). Administrators can control (via OS registry key) which AIR apps may be installed on a local system (trusted source only, for example, or none at all), and whether they can be updated automatically or uninstalled. And because AIR apps are treated as native, personal firewalls can examine and block AIR applications on an individual basis (versus merely identifying the AIR runtime).
However, given the level of potential exposure – AIR can write to any location on the hard disk and gain immediate network access – I would like to see Adobe tighten the controls over system access. Although self-signed apps alert users with an "unknown signature" warning, these unverifiable apps, if installed, gain the same permissions and unfettered access to the underlying OS as verified apps.
Because AIR is essentially a proxy, Adobe could implement ways to control, say, whether a cookie may be written outside the local directory, or when an existing file may be overwritten. Let the user decide what level of control to apply, but we could use something better than the existing open door policy. I hope Adobe will see fit in a future version to allow users to fine-tune permissions for each app during install.
Adobe does offer best-practice guidelines for developers. Nevertheless, I submit that many Web developers lack the technical savvy to effectively safeguard security. It's only a matter of time before some clever ne'er-do-wells begin exploiting remote data sources through local access vulnerabilities unknowingly left open to attack.
That said, AIR does fortify against malicious code injections. The two-level sandbox framework, which restricts the access of untrusted application routines to AIR's APIs, does help protect developers from themselves.
Grab some AIR
AIR will not be suitable for every application. Personally, I'm quite content to use a browser for most things. But for enterprise dashboards and occasionally connected apps, as well as for many consumer-facing and marketing sites (watch out Webkinz!), breaking free of browser-badging and Web constraints makes a lot of sense.
On the enterprise front, companies such as Model Metrics (for Salesforce.com) and Business Objects are busy breathing AIR into their systems. There are also a number of projects under way to let AIR eventually tap native code via cross-compilation with ActionScript (for example, to migrate existing C++ or .Net applications).
Easy migration of legacy apps running on a freely available distribution of Linux (assuming Adobe follows through on the port) will be irresistible to many companies, and Adobe AIR's ability to reduce hurdles to desktop application deployment makes it a must-see. Still, I think we're seeing only the first hint of turbulence in a coming wave of disruption.
Adobe is far from the only company clamoring for a piece of the RIA action. But I find Adobe AIR 1.0 well ahead of the pack today, in functionality, ease of execution, and overall efficacy of the final product. AIR blurs the distinction between Web, desktop, and user devices in ways that we've only begun to explore. Oh, and did I mention that it's free?
Ease of development (30.0%)
Overall Score (100%)
|Adobe AIR 1.0||10.0||9.0||7.0||8.0||9.0|
The transition from command line to line-of-command requires a new mind-set -- and a thick skin
Siri gets smarter. Apple Watch gets much more useful. And is Apple Music poised to kill other streaming...
People who have it don’t want it. People who want it don’t have it. Here's how to go from iconed to...
The Web's security runs on complicated PKI deployments, few of which are implemented correctly, and all...
Solid new version of Windows 10 Insider Preview makes it look likely that Microsoft will indeed hit RTM...
Package ecosystem and graphics are strengths; security and memory management are weaknesses
Self-checkout comes to the food court, with the same mixed experience as at any self-checkout terminal ...