Product review: Adobe breathes fresh AIR into RIA
Adobe's rich Internet application toolkit lifts Flash and AJAX out of the browser and onto the desktop; debut release shines with light technical requirements and good features, though security and OS integration could go deeper
Similarly, although security is thoughtfully addressed, it too could go further. First the good news. Local storage is protected by 128-bit encryption. AIR apps can be digitally signed and verified at runtime (via VeriSign or Thawte certificates). Administrators can control (via OS registry key) which AIR apps may be installed on a local system (trusted source only, for example, or none at all), and whether they can be updated automatically or uninstalled. And because AIR apps are treated as native, personal firewalls can examine and block AIR applications on an individual basis (versus merely identifying the AIR runtime).
However, given the level of potential exposure – AIR can write to any location on the hard disk and gain immediate network access – I would like to see Adobe tighten the controls over system access. Although self-signed apps alert users with an "unknown signature" warning, these unverifiable apps, if installed, gain the same permissions and unfettered access to the underlying OS as verified apps.
Because AIR is essentially a proxy, Adobe could implement ways to control, say, whether a cookie may be written outside the local directory, or when an existing file may be overwritten. Let the user decide what level of control to apply, but we could use something better than the existing open door policy. I hope Adobe will see fit in a future version to allow users to fine-tune permissions for each app during install.
Adobe does offer best-practice guidelines for developers. Nevertheless, I submit that many Web developers lack the technical savvy to effectively safeguard security. It's only a matter of time before some clever ne'er-do-wells begin exploiting remote data sources through local access vulnerabilities unknowingly left open to attack.
That said, AIR does fortify against malicious code injections. The two-level sandbox framework, which restricts the access of untrusted application routines to AIR's APIs, does help protect developers from themselves.
Grab some AIR
AIR will not be suitable for every application. Personally, I'm quite content to use a browser for most things. But for enterprise dashboards and occasionally connected apps, as well as for many consumer-facing and marketing sites (watch out Webkinz!), breaking free of browser-badging and Web constraints makes a lot of sense.
On the enterprise front, companies such as Model Metrics (for Salesforce.com) and Business Objects are busy breathing AIR into their systems. There are also a number of projects under way to let AIR eventually tap native code via cross-compilation with ActionScript (for example, to migrate existing C++ or .Net applications).
Easy migration of legacy apps running on a freely available distribution of Linux (assuming Adobe follows through on the port) will be irresistible to many companies, and Adobe AIR's ability to reduce hurdles to desktop application deployment makes it a must-see. Still, I think we're seeing only the first hint of turbulence in a coming wave of disruption.
Adobe is far from the only company clamoring for a piece of the RIA action. But I find Adobe AIR 1.0 well ahead of the pack today, in functionality, ease of execution, and overall efficacy of the final product. AIR blurs the distinction between Web, desktop, and user devices in ways that we've only begun to explore. Oh, and did I mention that it's free?