Adobe Integrate Runtime (AIR)
RIA on Desktop
Abdul Qabiz
http://linkedin.com/in/abdulqabiz
Adobe and Adobe AIR are either the registered trademark or trademark of Adobe Systems Incorporated in the United States and/or other countries.

Desktop Apps?
Use-cases
Desktop is still important
We still use those most of times
Some data still on Desktop
We are not always connected
Some of us are occasionally-connected
Current Issues
Smart developers moved to Web :-)
Gap between Web and Desktop
Development requires special skills
Hard to update/patch
Bandwidth costs :-)

Topics
Introduction
Examples
Development
SDK/IDE/Tools
Frameworks
Security
Installation/Deployment
More Examples
Q/A

AIR: Introduction

AIR: Some more features
Native Windows/Menus
Clipboard (read/write)
Command-line arugements
Launch on Login ( != startup)
File associations (mime type handlers)
Tracking user presence (idle timeout, etc)
Taskbar/Dock icons
Application termination
Inter application communication
Application updates
DRM ;-)
Encrypted storage (uses Keychain or DPAPI - AES-CBC
128-bit)

AIR: Examples

AIR: Development
Tools
AIR SDK - compiler/debugger/packager
Aptana (Eclipse-based) for AJAX apps
Adobe FlexBuilder for Flex/Flash apps
Frameworks
No special requirement for AIR
Generally, we use these for web-apps
YUI, ExtJs, Dojo, Prototype, etc - Any AJAX
framework*
Adobe Flex Framework (Flex/Flash)

AIR: Development
AJAX app structure
Structure - HTML
Presentation - CSS
Behaviour - JS
Assets - images, swf, flv, etc
application descriptor (application.xml) - XML
Flex/Flash app structure
Application - .swf
Libs/modules - .swf
Assets - images, swf, flv, etc
application descriptor (application.xml) - XML

AIR: Descriptor format
<?xml version=\"1.0\" encoding=\"utf-8\" ?>
<application xmlns=\"http://ns.adobe.com/air/application/1.0\">
<id>com.abdulqabiz.air.BloglinesReader</id>
<name>Bloglines Reader</name>
<version>1.0</version>
<filename>BloglinesReader</filename>
<description>An offline Bloglines reader with lots of features.</description>
<initialWindow>
<title>Bloglines Reader</title>
<content>root.html</content>
<systemChrome>standard</systemChrome>
<transparent>false</transparent>
<visible>true</visible>
<width>640</width>
<height>480</height>
<minimizable>true</minimizable>
<maximizable>false</maximizable>
<minSize>320 240</minSize>
<maxSize>800 600</maxSize>
</initialWindow>
<icon>
<image16x16>icons/AIRApp_16.png</image16x16>
<image32x32>icons/AIRApp_32.png</image32x32>
<image48x48>icons/AIRApp_48.png</image48x48>
<image128x128>icons/AIRApp_128.png</image128x128>
</icon>
</application>

AIR: Security - Sandbox types
There are different sandbox types:
application
assigned to all the files in app directory
remote
Files from Internet URI
local-trusted
trusted local .swf can acces local and remote but doesn't have all AIR
privileges.
local-with-networking
local .swf (published with -use-network flag) can communicate with
remote only.
local-with-filesystem
local file (.swf, .js, .htm, etc) can read local but not remote.

AIR: Security - AJAX
application non-application (classic)
AIR API allowed No access to AIR API
XHR - all domains XHR - same domain, can be
Limited eval () - only JSON allowed to all domains
literals Window.open (..) work in
Limited dynamic code response of user-triggered
generation event.
javascript:<code> AJAX frameworks would
innerHtml work
outerHtml CSS/frame/iframe/image
dynamic-script/script-src loading
setInterval/setTimeOut
(\"x=4\", 1000)
AJAX frameworks might
break

AIR: Security - Sandbox bridging
Without bridge With bridge

AIR: Security: Sandbox Bridging
<html>
<head>
<title>Simple test</title>
<script type=\"text/javascript\" src=\"AIRAliases.js\"></script>
<script type=\"text/javascript\">
var Exposed = {};
Exposed.trace = function(str) { air.trace(str); }
Exposed.readApplicationDescriptorFile = function() {
var content;
//set content to descriptor content
return content;
}
function doLoad()
{
document.getElementById('UI').contentWindow.parentSandboxBridge = Exposed;
}
</script>
</head>
<body onload=\"doLoad();\">
<iframe id=\"UI\"
src=\"ui.html\"
sandboxRoot=\"http://SomeRemoteDomain.com/\"
documentRoot=\"app:/\"
</iframe>
</body>
</html>

AIR: Security: Sandbox Bridging
<html>
<head>
<title>UI</title>
<script type=\"text/javascript\">
var Exposed = {};
Exposed.trace = function(str) { air.trace(str); }
function doLoad() {
childSandboxBridge = Exposed;
}
</script>
</head>
<body onload=\"doLoad();\">
<h3>Browser Sandbox Content</h3>
<ul>
<input type=\"button\"
onclick=\"alert(parentSandboxBridge.readApplicationDescriptorFile())\" value=\"Call the
exposed function for reading application.xml\"/>
</ul>
</body>
</html>

AIR: Installation
Seamless install
installs AIR, if not found
requires Flash Player
Manual Install
download .air file and run it.
AIR needs to be installed before that.
Package AIR (the runtime) and App together?

AIR: Installation: Experience
Installation experience is consistent, it can not be modified by
the developer.

AIR: Deployment
AIR apps are deployed as .air file
Created using adt (the packager)
.air files need to be digitally signed
Certificates could be:
Self-signed - created using adt
Verisign or Thawte
Badge-installer (widget for web-site)
Version (in application.xml) - choose a right scheme
Helps while updating app

AIR: Some best practices
Be responsible - You have more privileges
FileSystem, etc.
Try not to store sensitive data on client
If you have to, encrypt it
Structure application properly
Only keep trusted files in application sandbox
Keep UI or other files in different sandbox
Digitally sign .air files
use Verisign or Thawte certificates

AIR: Some more examples

AIR: Q/A
That's it for now, you got the idea :-)
Q/A?