« Adobe AIR and Webkit: problems and suggestions | Main | Brijit »

Adobe AIR Security and future features

Adobe AIR, like so many development platforms, has you sign your code. This is not a problem. Tools are built in to Flex Builder 3 that create the signing certificate for you and the process is simple. Your code, however, is not signed by a trusted authority. For that, you need to spend money on a software signing certificate. These are of dubious value for several reasons.

First, web and computer users have been conditioned to simply not read anything to do with software licenses or installation instructions (the EULA is the longest, most unread document in the world == just a waste of bytes). The user invariably clicks yes, yes, ok, yes, no , yes, accept, yes, finish or such as fast as they can. Frankly, the only people who read these things are those most qualified not to (like your mother), causing confusion and time loss. "Yes, mom, it's safe to install the software. Don't worry about your licensee requirements under GPL version 2,"  or "You clicked what?? You didn't do a default installation? Sorry, I have no idea where your photos are now." So do users care who signed the software? No.

Second, most people install software from reputable sources and they also only install things that others are. This community helps filter out software that contains all manner of malware. Idiot emptor.

Third, everyone in the world can have free high-quality virus protection from AVG (and you are foolish not to). Download here: http://free.grisoft.com/ww.download-avg-anti-virus-free-edition When you download software (or anything), you should just scan it if you have any doubts. This won't solve all problems, but do it anyway.

So what is the value of signing? Nada. Unless, Adobe has something else up their sleeve, which I really hope they do. Signing does have value for developers, and ultimately the end-user, since signing certificates can be used to provide advanced features to the developer, depending on the type of certificate they have. What this means is if I buy a software signing certificate, I can use more powerful features of the language and create potentially better software.

What features should Adobe AIR expose to users with real signing certificates? Here are a few ideas:

  • launch native applications (not just the browser)
  • make native system calls
  • loading new code dynamically over the web (java-style class loading)
  • use webkit in off-line mode for advanced application support
  • support running flex SDK tools and allow creating self-modifying code...

These are all features that will make the AIR platform much more successful and capable against the competition (like java) that can already do these things.

Do I want to buy a software signing cert? No. I actually think these have hampered and limited mobile development for years. Do I think we need them? No, but if we are going to have them, let's get something in return. 

When looking for info for this post, I came across this interesting blog: http://www.brajeshwar.com/2008/air-security-part-1/

Posted by Erich Izdepski on April 26, 2008 09:07 AM |

TrackBack

TrackBack URL for this entry:
http://www.erichizdepski.com/blog-mt1/mt-tb.fcgi/44


Hosting by Yahoo!

Post a comment

(If you haven't left a comment here before, you may need to be approved by the site owner before your comment will appear. Until then, it won't appear on the entry. Thanks for waiting.)