4 min read

Apollo Lands Security Concerns

Alpha version of Adobe Web development platform for desktops brings power and potential risks

Adobe Systems Inc. 's new Apollo platform may make developing Web 2.0-type applications for the desktop simpler, but it could also provide another attack vector.

The company released Apollo in alpha this week, so there's still plenty of developmental tweaking and securing to be done in the runtime environment. But the new Apollo platform raises the question of whether moving Web technologies to desktop apps also bring with them the baggage of Web-based vulnerabilities -- with user privileges, to boot?

It's not the first time Web-based desktop technology has been flagged for security concerns. Google recently came under fire after Gartner revealed that the Google Desktop 3 beta software transferred files from organizations to Google's own servers -- a potential risk to intellectual property.

Adobe says it's already addressed one of the key security concerns with its Web-based technology -- minimizing the risk of script injection (think SQL injection, cross-site scripting), the nemesis of Web applications. "What Apollo does better than the browser is build in capabilities that eliminate the need to merge data and code," says Adrian Ludwig, Adobe's group product manager for Apollo. "The application is separate from the data from the get-go."

Ludwig says Apollo is for building desktop applications, not for Web apps with access to the desktop, and the company is still ironing out details on how to protect the APIs in the platform from exposure, as well as outfitting the desktop user with "proactive controls" to protect them.

The purpose of Apollo is to simplify the process of writing these apps, he says. "We felt it was appropriate to build a platform for Web developers to more easily build these types of applications" for the desktop, he says, similar to iTunes and other such desktop applications that are rooted in connection, sharing, and access to the Web.

"We are expecting to see a lot of movement of companies building Web apps into the desktop, so that you can use the app offline." EBay is using Apollo to build a prototype application for running eBay offline, he says.

But with the power of HTML, Ajax, Flex, and JavaScript at the desktop comes great responsibility, and possibly, risk, security experts say.

Researcher HD Moore took the Apollo alpha platform for a spin today. The good news is Apollo asks you whether you want to open/install a new app, according to Moore. "It displays a giant warning asking you to verify that you want to install, showing the publisher, and whether or not it's verified."

But once the application launches, he says, there is no security. "It [seems to have] full access to your system and the Internet," says Moore, who hopes to do a full-blown audit of the platform soon.

Web-app security woes often boil down to the quandary of less experienced Web developers writing the apps. "People who don't know what they are doing or the underlying details of it rush to enable or enhance a Web app to be 'Ajaxified' or 'Web 2.0'ed,' not realizing the impact that takes place," says Caleb Sima, CTO of SPI Dynamics. "It depends on how widely deployed this [Apollo] is, but I can see this as a nice playground for some" hackers.

And when it comes to XSS bugs, there is no sure-fire solution. "It's hard to say how well the security defenses will hold up without studying the technical details or testing their implementation," says Jeremiah Grossman, CTO for WhiteHat Security. "What I've learned is not to underestimate XSS vulnerabilities, where JavaScript is able to execute, and what data it can access."

Still, Adobe's Ludwig emphasizes that Apollo development is still early going. "We want to get it out into the hands of developers, and get feedback on critical features, etc.," he says. And Adobe plans to roll out an operational version 1.0 later this year.

— Kelly Jackson Higgins, Senior Editor, Dark Reading