Adobe AIR:
Adobe Integrated Runtime
林弘偉(R98922025), 鄭安容(R98922061)
[ 摘要 ]
Adobe AIR is a cross-operating system runtime that lets developers combine
HTML, Ajax, Adobe Flash®, and Flex technologies to deploy rich Internet
applications (RIAs) on the desktop. This report includes the discussion about
the reliability, availability and scalability (RAS) issues, the security issues, and
the comparison between Adobe AIR and traditional web browsers.
[ What is Adobe® AIR®? ]
Adobe AIR is a cross-operating system runtime that lets developers combine
HTML, Ajax, Adobe Flash®, and Flex technologies to deploy rich Internet
applications (RIAs) on the desktop. Adobe AIR allows developers to use familiar
tools such as Adobe Dreamweaver® CS4, Flex® Builder™ 3, Flash CS4
Professional, or any text editor to build their applications and easily deliver a
single application installer that works across operating systems.
The Best Things About AIR
1. Cross Platform:
Adobe AIR works on Windows, Linux and Mac. A mobile version is also now
available.
2. It's beautiful:
AIR allows developers use Adobe Flash, Adobe Flex, HTML and AJAX to
create desktop apps. That means no more ugly desktop software! AIR apps
combine the beauty of Flash with the responsiveness that AJAX brings to the
web and that desktop software almost always offers.
3. It's not in the browser:
The browser is great but how often does your browser get overloaded? One
can access web application through Adobe AIR application without the web
browsers, which is faster and more convenient.
4. It combines the responsiveness of the desktop with the cloud of
the web:
It combines some of the best traits of the desktop with the cloud connectivity
1
of the web in individual apps that live on your desktop.
[ System Development ]
There is no specific development tool for building Adobe AIR applications.
Web developers can use the IDE of their choice, including Adobe tools such as
Eclipse™ based Flex Builder, Flash, and Dreamweaver, to build Adobe AIR
applications.
The free Adobe AIR SDK provides a set of command line tools for packaging
Adobe AIR applications. This can be used with any text editor to build and
deploy an AIR application.
[ Business Benefits ]
With the Adobe® AIR® runtime, you can deliver branded rich Internet
applications outside the browser that give you a closer connection to your
customer.
Adobe AIR uses the same proven, cost-effective technologies used to build
web applications, so development and deployment is rapid and low risk. You
can use your existing web development resources to create engaging, branded
applications that run on all major desktop operating systems.
The benefits are extensive. By using Adobe AIR as part of your RIA strategy,
you can boost productivity, extend your market
reach, enhance customer satisfaction, improve
customer retention, lower costs, and increase
profits.
Companies like eBay, AOL, and NASDAQ are
already using Adobe AIR to deliver engaging
RIAs to their users' desktops. With Adobe AIR,
you can:
Establish a more persistent connection
with existing customers
Deliver fully branded experiences with
desktop functionality
Leverage existing personnel, processes, and infrastructure
Develop and deliver RIAs efficiently using proven Adobe technology
Increase the ROI of your web investments
2
[ RAS Issue ]
Reliability: (Error handling, memory issue)
1. Memory issue:
AIR applications are written using either compiled bytecode (SWF content) or
interpreted script (JavaScript, HTML) so that memory management is provided
by the runtime.
In early development kit, memory management issue is a big problem for
AIR. Memory just keeps climbing even though developer works really hard to
clear objects and listeners and reuse objects.
In the new update, there is more efficient CPU usage (ex: On the Mac, many
applications are consuming 50% less CPU usage when running in the
background) and reduced memory usage between 15–20% (take TweetDeck
as an example)
AIR 1.5
20% Less
AIR 2 beta
2
3
2. Global error handling (GEH): GEH lets you handle all uncaught
errors (both synchronous errors and asynchronous error events) in one
place in your code. This is huge for large scale deployment where
anything (and usually everything) can go wrong.
Availability (easy to use & update):
1. Easy to use:
Developers will be able to generate native installers automatically in a
forthcoming AIR development kit, that is, AIR programs will be just a
native installer, such as an .exe file that doesn’t need to download AIR
runtime first!
2. Auto-updating:
AIR makes it easy for developers to keep their install base up to date by
AIR update framework which have following functions.
Periodically checking for updates based on an interval or at the
request of the user
Downloading AIR files (updates) from a web source
Alerting the user on the first run of the newly installed version
Confirming that the user wants to check for updates
Displaying information on the new update version to the user
Displaying download progress and error information to the user
Scalability (cross- platform)
1. AIR applications can run on any platform and operating system that
support the AIR runtime, including Mac OS X, Linux, and Windows (PC),
and in the near future will go to the mobile platforms like Android,
iphone and others.
2. The newest version of Adobe AIR, Adobe AIR 2(beta released on
February 2, 2010), extends the mobile capabilities of Flash Player 10.1
by delivering rich applications outside the browser and across multiple
operating systems. It supports online and offline use cases, and
developer can leverage mobile-specific features--such as multi-touch,
gestures, accelerometer, GPS, and screen orientation--to deliver richer
and more immersive user experiences.
Ps. AIR on Android will be available in the second half of 2010.
4
Digital WIRED Magazine- a new digital magazine experience (2010/2)
Content designed specifically for the touch screen experience
easy navigation methods, including an innovative
zoomed-out "Browse Mode"
the ability to browse image slideshows
embedded 360 degree object viewers
support for video and audio content
the ability to rotate content using device accelerometer
functionality
Alchemist, by InRuntime Ltd.
3. Some Issues
Because of the trade-off for easy cross-platform development,
Adobe has limited blocked developers from accessing the OS in
any platform-specific way, which basically dumb everything down to the lowest
common denominator across all platforms. Compared with native application
on desktop which developers can stand on the shoulders of OS giants very
easily, it will lose some custom functions (ex: spell checker specific to a certain
language, keyboard setting…etc) for a specific operating system.
It is still working to add more OS control function.
[ Security Issues]
Adobe AIR, like other desktop runtimes, provides applications with access to
powerful capabilities, such as local file access, which should be provided only to
"trusted" applications. Adobe AIR improves on the security model of most
desktop runtimes by providing information about the security of an application
before it's installed and configured on the end user's system.
Desktop-Specific Threats of Adobe AIR Applications
The set of first threat vectors is similar across desktop applications that run
locally. Adobe implemented sandboxing to limit some actions by a local Adobe
AIR application.
Adobe's documentation makes it clear that the sandboxes are not meant to
mimic the rigorous restrictions of a web browser's sandbox. Adobe AIR FAQ
points out that "applications deployed on Adobe AIR have powerful desktop
capabilities and access to local data."
Adobe AIR applications need to be digitally signed, to assist the end-user in
determining whether to trust the application's author. However, the certificates
can be self-signed, and many users will ignore the trust warnings and run those
applications that come from un-trusted sources. This is not a new issue, and it
is not unique to Adobe AIR.
However, the above problem may be solved because existing anti-virus suites
5
are able to detect improper actions of an Adobe AIR application through
behavioral techniques that observe any local programs.
Web-Specific Threats of Adobe AIR Applications
The other, and perhaps more significant set of threats to consider is tied to
those of any web applications. Vulnerabilities in a web application could allow
an attacker to launch attacks based on Cross-Site Scripting (XSS), SQL injection,
local link injection, and other techniques associated with traditional web
applications.
The most interesting security repercussion of a platform such as Adobe
AIR is that it merges traditional web application techniques with the
more-permissive security models of local applications. Consider a hypothetical
example where an Adobe AIR application allows the user to open and execute a
local file. An XSS-styled vulnerability in an application could allow a remote
attacker to inject a malicious JavaScript into the application that would attempt
to execute a local program of the attacker's choice. This is more difficult to
execute when the script runs within the confines of a web browser, than if the
script runs within a more permissive sandbox of Adobe AIR.
Adobe's Lucas Adamski wrote an excellent article describing the Adobe AIR
security model. In his write-up, Lucas describes the two sandboxes
implemented by Adobe AIR and outlines the security risks that the developers
of Adobe AIR applications need to consider. He also points to the security
documentation Adobe wrote to assist developers in addressing some of these
challenges. Lucas highlights the need for developers to follow Adobe's security
recommendations to create resilient applications:
"However, the privileges inherent in a full desktop application mean the
developer can sometimes find ways around these restrictions. The reality is
that doing so will almost certainly introduce a large amount of security risk into
the application and for the end users of the application. Thus Adobe strongly
recommends that developers stay within the restrictions placed by the AIR
security model, and carefully consider the cost of implementing rigorous
security mitigations for bypassing them. In most cases the development cost of
these mitigations will significantly exceed the cost of finding an alternative
solution that stays within the bounds of the security model. "
[ Comparisons ]
Browser vs. desktop
The browser has become the preferred way for delivering many applications
6
because it allows easy deployment across operating systems and simplified
application maintenance. Plus, the modern programming languages used in the
browser enable rapid application design and development.
The Adobe® AIR® runtime complements the browser by providing the same
application development and deployment benefits while adding desktop
integration, local data access, and enhanced branding opportunities. An
emerging design pattern for rich Internet applications (RIAs) is to deliver a
browser-based version of an RIA in the browser for all users and an RIA on the
desktop for more active users.
Feature RIAs in the browser RIAs on the desktop
Application Applications can be easily Installed applications have
delivery discovered, explored, and more persistence, power, and
used. functionality.
Installation No application installation Applications install seamlessly
is necessary. from the browser or download
and install like a traditional
desktop application.
Application Applications are updated AIR provides APIs that allow
updates by pushing new content applications to be updated as
to a website. easily as pushing new content
to a website.
Multiple Applications run on AIR applications are
operating multiple operating cross-platform, so they can be
system support systems and browsers. installed on and run on
multiple operating systems.
Programming JavaScript is provided by Integrated JavaScript and
languages browsers and ActionScript virtual machines
ActionScript™ is provided are compatible with the
by Adobe Flash® Player. browser.
Background RIAs can run only in a Applications can run in the
capability visible browser window. background or provide
notifications like traditional
desktop applications.
Persistence Activity is limited to the RIAs are installed and
browser session. When available on the desktop. They
the browser is closed, store information locally and
information is lost. operate offline.
7
Desktop Applications are Applications can access a
integration sandboxed, so desktop desktop file system, clipboard,
integration is limited. drag and drop events, system
tray/notifications, and more.
User interface RIAs run within a browser RIAs have a customizable user
control window that has its own interface and desktop
controls, branding, and integration, enabling branded
integration with the experiences.
desktop.
Data storage Applications have limited Applications have unlimited
local storage, which the local storage and access to a
browser can destroy. local database, plus encrypted
local storage.
Adobe AIR v.s Internet-connected applications(ex: widgets)
Adobe AIR enables developers to build a wide variety of applications,
including widgets. Adobe AIR does not provide a widget manager such as a
sidebar or top layer, but it is possible to build a widget manager on Adobe AIR.
Adobe AIR vs. Flash Player
Adobe Flash Player is a browser plug-in that provides advantages for users
and content creators in the browser, including the ability to deliver RIAs in the
browser. Adobe AIR incorporates technologies originally developed in Flash
Player and enables rich Internet applications on the desktop. Adobe AIR and
Flash Player provide complementary deployment methods for the RIAs.
Adobe AIR vs. Other Similar Software (ex. Prism)
Prism is designed to create a better environment for running one’s favorite
web-based applications. Prism is designed to provide a better use to those
applications we used to accomplish running on our computers and now moved
into the web browser.
Prism can create a shortcut to those web application sites, providing a clean
and fast environment to users.
The main difference between Adobe AIR and Prism is that, Adobe AIR is a
desktop application which can communicate directly with the web, but Prism is
still a web browser using Firefox as its kernel.
8
[ Reference ]
http://blogs.adobe.com
http://labs.adobe.com
http://www.adobe.com
http://gothick.org.uk/2009/02/07/why-adobe-air-apps-suck-just-like-java-app
s/
http://isc.sans.org/diary.html?storyid=4019
http://www.readwriteweb.com/archives/the_best_things_about_adobe_air.p
hp
http://playpcesor.blogspot.com/2008/02/adobe-air-10.html
9