Adobe Apollo Alpha1

OK people, Adobe Apollo is out. Go grab your copy now. Keep in mind that this is the Alpha1 release so give it some time until it gets to at least beta.

For those who don’t know what Apollo is, here is my very short summary. Apollo is RIA (Rich Internet Application) framework that is based on the top of Flex. Java Webstart is also RIA although it does not provide the same functionalities as Apollo. With Apollo you can build desktop applications with Flex, JavaScript, HTML, CSS and all other web related technologies.

RIA Applications bring new challenges in the Web Security field. Expect some developments in this field very soon. The purpose of RIA is to bring web applications on the desktop. Although this is very good and exciting, keep in mind that the web should not be trusted at all. The web could be quite hostile and if the RIA application developers are not careful about it, they can easily make big mistakes that will results to some quite bad situations.

The biggest security threat for Adobe Apollo applications will be again persistent and non-persistent cross-site scripting vulnerabilities, cross-zone and cross-context scripting, etc. Fooling the user into installing a particular Apollo application will be also a problem but this is on the social engineering and phishing side of things.

I am quite concerned about insecure Apollo applications that offer inner API to hostile web applications. In a few simple steps the developer can export certain ActionScript methods into the webpage DOM. JavaScript can handle it from there and perform whatever operations are required. Cross-zone and cross-context scripting will be probably the Apollo’s thing.

Apart from Java Webstart, which IMHO is not that much RIA like, there is also WPF (Windows Presentation Foundation) with XAML from Microsoft. For now WPF is supported on Windows platforms only. If the .NET framework lifts off on other platforms with the help of MONO, we may see the beginning of the RIA wars. For now, Adobe Apollo is the winner.

Comments

Delixe responds:

I plan on starting up a development site called: http://www.codeapollo.com soon–stay tuned. I want to see where we can get with apollo and hopefully create a great collaborative community.

It will be mostly a forum so we can help each other into hopefully making Apollo very useful in web development. If you’re interested, I probably will need help and could use some loyal people to help launch it, let me know.

pdp responds:

Thanks but I am mainly interested in the security aspects around Apollo applications. I might want to code one or two though, just for fun you know.

Delixe responds:

I am interested in both, I am planning a security part of the site. =)

pdp responds:

Now when I had 5 minutes free time to check some of the sample Apollo applications, I also did some security tests. It seams that the Fresh RSS reader, a sample Apollo Application, is vulnerable to Local URLs execution (file://).

I am not going to spend more time searching for other security issues because Apollo is still in alpha, but at least this find proves my point which is: if developers are not careful enough they may leave your system open to all sort of attacks.

Mike Downey responds:

Hello -

Apollo is RIA (Rich Internet Application) framework that is based on the top of Flex.

That is very close. :)

Apollo is actually a runtime (somewhat similar to a JVM) that allows you to run RIAs on the desktop. These can either be HTML-based (Ajax…) or Flash-based. Flex is the “framework” for building Flash-based applications. The Flex framework, compiler and debugger are all free and can be downloaded from Adobe’s website (the Flex SDK). Adobe also sells an IDE for building Flex applications, based on Eclipse, called Flex Builder 2.

Regards,
Mike Downey, Adobe

pdp responds:

Hi Mike,

I am not disagreeing with you. After all, you know Apollo better then me. However, the .air files… well, they always contain one or more .swf files which in tern use the Flex browser component to render either a remote page http:// or a resource app-resource:. Which means that in the core it is all Flex.

Correct me if I am wrong. The JVM you are talking about, isn’t that some sort of an extended Flex? It doesn’t really matter what it is, but it is good to know.

Josh responds:

The Apollo runtime contains Flash Player and WebKit. Flash and Flex are not required at all to build an Apollo application. You can build an application with only HTML and JS. No SWFs needed.

GNUCITIZEN

Navigation

Comments

Respond

The Others

External Projects

Recent Posts

Random Posts

From The Cutting-edge Network