Apollo Alpha 1 Documentation - collected by Jimbob | Back to MY RESOURCES


Understanding Apollo security

Back to: Apollo Documentation home page

The Apollo run-time environment gives you access to some of the same operating system resources that you can access from a standard desktop application. For this reason, an Apollo application has fewer access restrictions than a SWF or HTML file running in a browser. Since this can present a security risk, it's important to understand the Apollo application security model.

Contents
  1. Installer security warnings
  2. Security sandboxes
  3. Privileges for resources in the Apollo application security sandbox
  4. Best practices for developing secure applications
  5. HTML-based applications
  6. HTML content in an HTMLControl object
  7. Disabling mms.cfg settings

Installer security warnings

As part the Apollo application installation process, end users installing the application are presented with a security notice, intended to provide information about the publisher of the application and the type of system access permitted to the application, to allow users to make an informed decision about installing the applcation.

Security sandboxes

In the alpha release of Apollo, local files that are part of an Apollo application are accessed from a special security sandbox, known as the Apollo application security sandbox. In future releases of the Apollo runtime, application resources may have different sandboxes depending on how the Apollo application is signed or installed.

Developers can use the read-only Security.sandboxType property to determine the security sandbox for a SWF file. For a SWF file that is bundled with the Apollo application, this property is set to the value defined by the Security.APPLICATION constant.

All other resources—those that are not installed with the Apollo application—are put in the same security sandboxes as they would be placed in if they were running in Flash Player in a web browser. Remote resources are put in sandboxes according to their source domains, and local resources are put in the local-with-networking, local-with-filesystem, or local-trusted sandbox.

Privileges for resources in the Apollo application security sandbox

SWF files in the Apollo application sandbox can cross-script any SWF file from any domain. However, by default, SWF files outside of the Apollo application security sandbox are restricted from cross-scripting the SWF file in the Apollo application security sandbox.

SWF files and HTML content in the Apollo application sandbox can load content and data from any domain.

SWF files installed with Apollo applications do not need to look for cross-domain policy files. Capabilities that normally require another SWF file to grant access by calling the Security.allowDomain() method are not restricted to SWF files installed in Apollo applications.

The Apollo runtime provides enhanced capabilities for SWF files and HTML content in the Apollo application security sandbox—capabilities that are not available to SWF files and HTML content running in a web browser (in Flash Player). These include reading and writing to local resources and files.

The settings in the Flash Player Settings UI do not apply to resources installed with Apollo applications.

Best practices for developing secure applications

While building Apollo applications, developers need to be very aware that although they are using web technologies they are not working within the browser security sandbox. This means that it is possible to build Apollo applications that can do harm to the local system both intentionally and unintentionally. Apollo attempts to minimize this risk for developers, but there are still ways where vulnerabilities can be introduced.

The greatest area of risk for unintentionally introducing a security problem to an Apollo application is when the application uses external data or content — so developers must take special care when using data from the network or file system.

Here are examples of areas of potential risk:

Note: When loading HTML content that is rendered in an HTMLControl object, the HTMLControl object applies the browser sandbox rules to all content.

This is an Alpha version of the product, so if you encounter configurations or options that might lead to potential vulnerabilities, please let us know. Also, Adobe is currently working on a broad set of security best practices for developers that will be provided prior to the 1.0 release of Apollo.

HTML-based applications

For HTML-based applications, the top-level frame of an HTML-based application always has access to the Apollo runtime classes. Content in a sub-frame (or IFRAME) is placed in a security sandbox corresponding to its domain of origin and can only access the top-level frame (and the Apollo runtime classes) if it is in the same sandbox as the top-level frame.

HTML content in an HTMLControl object

HTML content in an HTMLControl object can only access the Apollo runtime classes (via the window.runtime JavaScript object) if the exposeRuntime property is set for the HTMLControl object. (The exposeRuntime property is set to false by default). When this property is set to true, content in the top-level frame of the HTML can access the Apollo runtime classes, but content in a sub-frame (or IFRAME) is placed in a security sandbox corresponding to its domain of origin and can only access the top-level frame (and the Apollo runtime classes) if it is in the same sandbox as the top-level frame.

Disabling mms.cfg settings

If you have created or modified the mms.cfg file used by Flash Player, please remove it while running or testing Apollo applications. In the alpha release of Apollo, some of the settings in this configuration file may restrict Apollo functionality.


Back to: Apollo Documentation home page

collected by Jimbob 2007.05