I found this really strange, a co worker pointed this out to me.
He installed my Poker Blind Timer - Air Version and then went into
c:\Program Files\Poker Blind Timer\META-INF\AIR\application.xml
And edited a lot of the application settings, run the app again, and it changed to reflect the edits, you can change the title, logo, and windows size, allow minimize etc.
As a developer you want and need to control these things, why would they just put all that in an XML file and allow anyone to come along and edit it. I know you can do similar stuff with registry edits for other programs, but thats a lot harder and less obvious.
8 comments:
I'm commenting without thinking too much about this, but my initial reaction is that this is not really a "security" risk. Sure a curious and ambitious user can go modify those settings, but does that really pose a "security" risk? It may goof up their local copy of your application, but hey that's their problem, not yours. Is there anything inherently dangerous they can do by modifying those settings?
I agree with Todd; there is no security issue here. IMO it's a feature. Why is it a problem if someone wants to customise an app running on their computer?
It's as much a "security risk" as it is that a user of your website could disable CSS, JavaScript, and using an extension like Firebug, even modify the text of your pages as it appears on the user's own screen (but nobody else's).
Incidentally, if you *really* need to prevent a curious user from twiddling with certain settings, you check into the flash.data.EncryptedLocalStore API.
References:
LiveDocs: http://tinyurl.com/67naqs
Cantrell's Blog: http://tinyurl.com/5mqfgg
Yeah sorry have to agree with others IMO registry tweaks are about the same in dificulty (as joe public will have a hard time finding the file). Besides its thier machine and they have the rights to edit stuff - just not expect support to fix things that break after they "play"
This is bad. While from a user standpoint it is great to be able to modify these things, from a development viewpoint I cant have users fiddling with or peeking through my code. What if I wanted to develop an application using an unpublished or secure API? This is terrible from a security standpoint. Frankly, its probably why air hasn't seen wider usage.
Well,
Sure it's probably not security as in they can attack my system.
But I was thinking that there is no Security around end users tampering with your application design. What I am suggesting is that this info should be secured, encrypted etc. There for there is no security on this file.
Its not a show stopper, but highlighting these things might get them reconsidered for a future release.
It will always be true that determined users can twiddle with the bits of software installed on their machine.
I personally view this as a feature, and would not want Adobe to do anything to change this.
And as I said earlier, you are free to use the EncryptedLocalStore to store any settings you're concerned about users messing with.
I have to say that it's absolutely not a security issue in Air... you could, if you wanted to, make an argument that it's a security issue in that specific app... but even that is a reach.
Post a Comment