Users must trust Air

Two weeks ago Oliver Goldman from Adobe wrote a post where he reveals that the warning about installing an Air application will stay in the next version, even if you choose to publish an application that do not access the user file system.

I personally think that this will tarnish the reputation of Air. I so have asked him in a comment why not display the warning before the application asks to access the file system, while offering at the same time an option to ask to never display this warning again. Surprisingly Oliver reacts to my comment in a second post. All I can say is that he doesn't like the "just in time warning" solution. 🙂

Annoying Air security warning

Before this post I was convinced that there will be two ways to publish an Air application. The one that only uses network access (with subtleties regarding a dedicated folder for each application, SQLite and a Shared Object) and the other that uses full file system access and could possibly pushes data to the internet but warn the user that it will.

I love Air, I love Flash desktop applications since a long time, I'm their first fan, but letting Air freely access the user file system is a good thing but also the worst argument against it. What differentiates Air from SWFStudio, mProjector or any other Flash desktop application is the badge and the ability to continue to run an application from the web to the desktop. It's what attracted me first with Air. Air sells the ability to continue to use the web on the desktop. By doing this it tells the user that it is as secure as the web on the desktop, we must respect this.

I think there is no need to warn the user if there is no risk. If Air need to access the file system we must warn them, but please do not tell that installing an Air application is a risk for them whatever they do. Most of applications will not need file system access (other than SQlite, dedicated folder or Shared Object), if they will, the message will be shown without penalizing applications that do not access the file system.

--- sorry, this post is not clear at all, I must add the following content to clarify what it wants to say ---

After having discussed it, thought to it, I realize the only important thing for me is that we do not have any warning regarding "file system access security", "unknown publisher" or "security risk" warning when installing a "restricted" application. It's what scared me finally.

I agree with Oliver, warn the user at the installation of an "unrestricted" application is mandatory. And if we already have warn them we must not display any warning messages anymore in the application. My solution would have been valid only during the period when we cannot publish "restricted" application.

But I'm not convinced that users will continue to have "security risk" and "unknown publisher" warnings, even in "restricted" mode. The real problem emerging under that choice is "Air could or couldn't be as secure as a web browser in restricted mode" and Adobe could or couldn't delete those warnings in "restricted" mode.

7 Replies to “Users must trust Air”

  1. “I think there is no need to warn the user twice … if there is no risk.”

    I’m sorry but I strongly disagree and I see Oliver’s point of view. One area you’re neglecting is updates where functionality is added.

    I can see your point about a warning before use but I think that’s unworkable. In fact, the AIR app installer/updater is more lax than, say, my Aidum IM client who asks to access my keychain every time it’s upgraded and a new version is pushed out (about every two weeks at present).

    do you see this behaviour of other programs? why should AIR be any different? you agree to have the runtime installed. you further trust the applications using it. that’s already a lot of backing out power…

    “… (there is two warning messages on the confirmation box above) …”

    I don’t think anyone is bothered to be honest.

    please don’t take this personally, but on this point I disagree

  2. Barry> One area you’re neglecting is updates where functionality is added.

    Hi Barry.

    With the “on file read/write access” warning solution, if you have checked the box that asks the application not to bore you again with those warnings, you could update your application without to have any message. In this case, user have be warned at least one time in the past that THIS application want to access his file system, he does not have the message that tells that Air is dangerous at the installation. This is fair.

    Barry>do you see this behaviour of other programs?

    Many other do, mainly your browser when saving a file.

    First think that Air is not a program as any other, this is the root of the problem. You first have installed a runtime to launch an Air application. By doing this you have accepted to launch Air files. Does Microsoft Word or OpenOffice tells the user the document could damage their system when opening any word document ? It does not. But a word document could run macros that are well known to be potentially dangerous too … they warn you when the document is opened and contains macro only.

    The message Adobe sends to the world when launching Apollo was that Air will be an extension of the browser that will work as the web out the web.

    Users don’t care about he “this is a new sort of application that will revolutionize … blah blah”. Air is more complicated, it needs a runtime to install first, a badge to click on, an installer to follow, a security message to accept… users will only retain that Air offer something that others don’t : it is an extension of the browser on their desktop. Telling them that it is not, is not a good thing.

    Accessing the file system must only be an option, with a warning that tells users that apart this time it need to access their file system, Air is as secure as their web browser.

  3. That’s bad news.

    I won’t advice using AIR until they translate and change the dialog color (no black & red please).

    Now waiting for mProjector 4… sorry Adobe.

  4. I can see where you’re coming from but I think we have a difference of opinion on what AIR actually is.

    my install of iTunes is AIR-like if the view is that AIR is bringing browser-like capabilities to the desktop. the end user, however, doesn’t care – they just click on the online store menu or podcast search and consider it just part of the (desktop) application.

    the real value of AIR is not for end users to think they can have a desktop version of their browser experiance, but (1) for developers leveraging their DHTML/Flex/AS3 skills in (2) creating cross platform applications. At least that’s why I’m interested in AIR. Lots of apps reach out to the cloud (even MSOffice apps as you look for templates, updates or help)

    I take your point about Word Macro’s but then again, you’re talking about an applications loaded content (just a file which could could come from anywhere), not the application itself. MSWord can – and does – reach all over the file system. Apps we use every day can have powerful effects to the core system. People don’t even seem to batter an eyelid with a related area – privacy. How much information does my Aidum IM client send back to base? I don’t know. Do I care that Gmail reads every email of mine so it can throw targeted advertising at me? I do, but not enough to change.

    in the end it comes down to trust, which is where certificates come in. If Thwate issue a cert that’s attached to a dodgy app it can be tracked.

    which is why Oliver and the rest of the AIR team are offering free Thwate certs for people to use for their apps – to try and build confidence.

    heck, even Twirl (Twitter AIR client) uses an unsigned cert…

  5. I realize that I’m confusing something. Oliver never tells that the warnings will all stay in the installer even with “restricted” applications.

    What make me react was that warnings could stay for “restricted” application as they are today for all applications (without the unrestricted system acces warning of course).

    In the future, if every warnings disappear when exporting a “restricted” application, I agree with him that the warning in the installer is sufficient for “unrestricted” application. But we must not have any of the “security risk”, “publisher identity” or “system access” warnings.

    The problem is that I’m sadly convinced that this will not be the case (?).

  6. Philippe – I believe v1.1 will allow you to style the install/upgrade screens.

    I personally can’t see the point of these warnings as few users will bother reading them even if they can understand them.
    Witness what happened when someone bought the Google AdWord ‘click here to be infected with a virus’, for instance.

  7. @Tom

    for the vast majority of users, I’m sure you’re right. But it does provide a level of “backside covering” for Adobe as well as allowing commercial applications to “have a value” when they’re providing a cert (so you can “trust” the unrestricted system access)

Leave a Reply

Your email address will not be published. Required fields are marked *

*

* Please Add the Values