Adobe breathes fresh AIR into RIA

AIR apps can take advantage of protocols including FTP, AMF (ActionScript Messaging Format), JSON, SOAP, and RTMP (Real Time Messaging Protocol for streaming media), and they can communicate with Adobe LiveCycle and BlazeDS servers using server-side RPC and messaging calls.

I found decent support for popular JavaScript libraries, including Dojo (which now also supports AIR) and Adobe's own Spry kit, allowing developers to make use of familiar tools. The resulting AIR application can look and feel like a native app, using the operating system's "chrome" for menus and so on, or can be customized to your designer's heart's content.

For the end-user, an initial 11MB download is necessary to get started, but subsequent application installs and updates are far more seamless.

Security is thoughtfully addressed, but could go further. Local storage is protected by 128-bit encryption. AIR apps can be digitally signed and verified at runtime (via VeriSign or Thawte certificates). Administrators can control (via OS registry key) which AIR apps may be installed on a local system (trusted source only, for example), and whether they can be updated automatically. And because AIR apps are treated as native, personal firewalls can examine and block AIR applications on an individual basis (versus merely identifying the AIR runtime).

Nevertheless, I would like to see Adobe tighten the controls over system access. Although self-signed apps alert users with an "unknown signature" warning, these unverifiable apps, if installed, gain the same permissions and unfettered access to the underlying OS as verified apps. I hope Adobe will see fit in a future version to allow users to fine-tune permissions for each app during install. In Version 1.0, installs can't be customized.

Adobe does offer best-practice guidelines for AIR. Nevertheless, I submit that many Web developers lack the technical savvy to effectively safeguard security. It's only a matter of time before some clever ne'er-do-wells begin exploiting remote data sources through local access vulnerabilities unknowingly left open to attack.

That said, AIR does fortify against malicious code injections. The two-level sandbox framework, which restricts the access of untrusted application routines to AIR's APIs, does help protect developers from themselves.