I’ve posted the code for this second version of the touch scrolling demo. It was pretty trivial to optimize it this far. With a little more work it’ll be as smooth as silk and as fast as Apolo Ohno. :)

Over the past few days I’ve received some questions about the performance of Flex apps on mobile devices. My Census RIA Benchmark has been a great way to compare the performance of various data loading techniques and technologies. Now that I have my Android based Nexus One mobile device with an early build of Flash Player 10.1 I wanted to see how fast I could load and render large amounts of data in a Flex application. I’m really impressed with the results! 20,000 rows of data loaded from the server and rendered on my phone in about 2 seconds! Those 20,000 rows can then be sorted on the device instantaneously. Pretty amazing performance for such a little device! Check out the video:

You can run the mobile version of the Flex AMF Census Test and check out the source code. Let me know what you think.

One of the challenges of running existing web content on mobile devices is that user interactions differ between mediums. For instance, on a normal computer with a mouse, scrolling though lists is often done by clicking on scroll bars or mouse wheels. On mobile devices that lack a pointing device this is not the best interaction paradigm. On devices with touch screens the paradigm for scrolling is usually a swipe gesture.

In Flash Player 10.1 there are APIs for gestures and multitouch events. I thought it would be fun to hook up the list scrolling on a Flex 4 List to the TouchEvent on my Nexus One. Check out the video:

If you want to see how I created this simple demo, check out the source code. Let me know if you have any questions.

BTW: The app I created for the demo is available at bit.ly/tdfmdb.

• An article I wrote has been published on the online Flash & Flex Developer’s Magazine: Flex and The Cloud: Is this really just Client/Server 2.0?
• I’ll be speaking on Thursday, February 18 2010 at the Denver Flex User Group about Flex and The Cloud
• The recording of a webinar I co-hosted on the new Salesforce.com Cloud platform for developers has been posted
• Jeff Douglas has posted a video walk through showing how to use the new Salesforce.com Flash Builder 4 extension for Flex + Cloud apps

Exciting stuff! Let me know what you think!

Adobe released security updates for the Flash runtimes: Flash Player 10.0.42.34 and Adobe AIR 1.5.3. The Flash Player update fixes an issue with mouse scroll wheels not working in Flash when using Safari.

Recently, Adobe also released public betas for Adobe AIR 2 and Flash Player 10.1. This Flash Player release fixes the “Incorrect unicode input in Linux” bug. Both AIR 2 and Flash Player 10.1 have a new API for Global Exception Handling (which was one of the highest rated feature requests on bugs.adobe.com). Check out Tour de Flex for some new samples on how to use this new and other new APIs.

For those looking to build Flex applications in the enterprise, Adobe has posted two great resources. First is a third-party study that says enterprise penetration of Flash Player 9 (or better) is at 97.6%! Second is a fantastic white paper about The Business Benefits of Rich Internet Applications – a must read for anyone in the enterprise who is evaluating Flex.

Last is a short video of me at Adobe MAX 2009 where I talk about the progress that Adobe is making in getting the Flash Platform onto the many screens in our lives and why that is exciting for developers. Let me know what you think!

Since Rich Internet Applications built with Flex, Silverlight, etc usually try to do more on the client side, for example mash-up data from multiple sites, the same-origin policy presents a problem.

In most cases Flash Player sticks with the typical browser sandbox concepts. But there are a few places where it goes outside this boundary such as with microphone and webcam access. Another area is by allowing opt-in to cross-domain communication bypassing the browser’s regular same-origin policy. Other plugins such as Silverlight and JavaFX also do this. This cross-domain capability is powerful but also very dangerous. The primary reason it’s dangerous is that a malicious application can potentially make requests on behalf of the user and access data from domains that the application didn’t originate from. To protect against these types of attacks Flash Player and other plugins have implemented a cross-domain policy system. This policy system is one of the most misunderstood aspects of web security.

To illustrate the problem I’ve create a few demos. Let’s say that I’m building an application for www.jamesward.com that will fetch some data from the www.firststepsinflex.com site.

Here’s that application on www.jamesward.com – open it in a new window.

The application correctly pulled the data from the www.firststepsinflex.com site but in order to allow the request I blindly put a crossdomain.xml policy file on www.firststepsinflex.com that looks like this:

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
    <site-control permitted-cross-domain-policies="master-only"/>
    <allow-access-from domain="*"/>
</cross-domain-policy>

What this policy file does is instruct Flash Player to allow requests from any website to get around the same-origin policy and make requests to www.firststepsinflex.com – on behalf of the user. Sounds harmless, right? At this point it is, as long as all of the data on www.firststepsinflex.com is publicly available data. But let’s suppose that not all of the data should be publicly available. Perhaps I’m protecting access to some data though cookie authentication or HTTP basic authentication. In this case I am (for the purpose of the demo).

See the protected data by opening up http://www.firststepsinflex.com/private/bankaccounts.html using “username” and “password” (without quotes) for the user name and password.

Now imagine that someone starts posting Twitter links (obfuscated through a URL shortener) phishing for people to open a malicious application (open it in a new window – I promise it doesn’t do anything bad).

So let’s recap… There is a protected resource that only you should be able to see in your browser. Other applications should NOT be able to see that data. But a malicious application was able to load that same data and do whatever it wants with it. Scary.

Here’s how it works… The malicious application requests the protected page. It was able to make the request because you were authenticated already. And the malicious application can now read the data contained in the page and do whatever it wants with it (probably send it back to a server somewhere).

OK. Now do you understand why crossdomain.xml policy files are dangerous? Imagine if Facebook, MySpace, or YouTube had a misconfigured policy file on their servers! Well they have – but they’ve since been fixed. Imagine if your bank or a corporate intranet had a misconfigured policy file. There are some very serious ramifications to these types of attacks.

There are also some great uses of crossdomain policy files. For instance, api.flickr.com has an open crossdomain.xml policy file. This allows applications loaded from anywhere to access Flickr data and it’s safe because api.flickr.com doesn’t use cookies or basic auth – they use web service tokens, which are not automatically transmitted by the browser and are only known to the application that performed the authentication.

I often hear from Flex / Flash developers that when they run into security sandbox issues the first thing they try is to open things up with a global (i.e. “*”) policy file. I hope this article discourages that practice. Developers should understand why the security error is happening and consider alternatives before blindly opening up their website to the possible attacks. One alternative is to leverage a server proxy. A server proxy can be configured so that an application doesn’t violate the same-origin policy. For instance, if an application on foo.com needs data from bar.com then a proxy can be configured such that requests to foo.com/bar are forwarded on the server to the bar.com site. This helps avoid attacks because users’ cookies (or basic auth tokens) will not be sent to bar.com since all requests are actually being made to the foo.com site. But be careful not to expose intranet servers through proxies. Here is a sample Apache config for setting up a forward proxy:

  ProxyRemote  /bar/*  http://bar.com/
  ProxyPass /bar http://bar.com
  ProxyPassReverse /bar http://bar.com

BlazeDS also includes a proxy service.

If you really need to use a crossdomain policy file then be very careful! NEVER put a crossdomain policy file on a site that uses cookie or basic auth and NEVER put a crossdomain policy file on an intranet site – unless you really know what you are doing. To learn how to safely use crossdomain policy files here are some great resources:

• Policy file changes in Flash Player 9 and Flash Player 10
• Cross-domain policy file specification

I hope this helps create better understanding of web security. Please let me know if you have any questions.

I wanted to build an application in Flex that shows how applications can have a high degree of reuse between the web, the desktop, and in a PDF. I decided to build a Mortgage Calculator to illustrate this. Here is the web widget:

From within the web widget you can install the desktop widget or email yourself a PDF containing the widget. Since this application is a small, self contained application (i.e. a widget) the functionality between the different mediums is very similar. In this case I was able to reuse about 99% of the code between the different versions. However, sometimes achieving that level of reuse is not possible due to the differences in client capabilities and the end user needs. This is the case with the Flex and Adobe AIR based Oracle CRM Gadgets, which are for different use cases than the primary Siebel UI.

There are beginning to be more instances where RIA widgets are being reused across different mediums. But this is only one piece of software development. In other instances the capabilities and functionality of web, desktop, and mobile applications vary so greatly that there is little reuse. Either way it’s important to architect our back ends such that they are agnostic to the front end. This is one of the ways RIA and mobile app development have changed the way we build software. It’s a good thing and we should embrace it.

How to promote your offerings to the community

Customer Success Program
The Adobe Customer Success Program (CSP) works with innovators and business
leaders to highlight how organizations use and benefit from Adobe solutions.

Adobe Site of the Day
Developers can submit applications to be included in the Adobe Site of the Day. This
submission allows us to use it in other marketing areas, like the Edge newsletter.

Flex.org
Flex.org aggregates Flex news from a number of sources, and allows community
members to contribute their own content as well.

The Solution Partner Program
The Adobe Partner Program is designed for companies that provide solution-based
sales, system integration, services, or extended products based on Adobe technology.

Adobe AIR Marketplace
Adobe AIR Marketplace is a place where developers can publish their AIR applications for
users to download. Learn more.

Community blogs
Add your feed to the Adobe blog aggregator to make sure the community at-large is
receiving the latest news on your offerings. Additionally find active community members
including Adobe evangelists who may be interested in learning more. Learn more.

How to access software for evaluation and testing

Adobe Labs
Labs provides developers with the opportunity to experience and evaluate new and
emerging innovations, technologies, and products from Adobe. Learn more.

Adobe Prerelease Program
The goal of a Prerelease Program at Adobe is to solicit early feedback on new features
and bugs in order to produce a unique and bug-free product that can deliver maximum
results.

The Solution Partner Program

How to get support and training

The Adobe Developer Connection
The ADC serves as the central resource for information on Adobe developer
technologies, providing tutorials, samples, and documentation to guide and instruct
developers. Learn more.

Adobe Support Programs
Flex, Flash, and AIR support programs for developers and enterprises include technical
help and information on planning, workflow, and deployment. Learn more.

Adobe Forums
Adobe Online Forums are for the Adobe community’s peer-to-peer discussions of both
Adobe and formerly Macromedia products.

Adobe Training and Certification
Whether you want to improve your skills, projects, or resume, Adobe training and
certification programs and resources can help you achieve your goals.

Adobe User Groups
Adobe Developer User Groups provide a forum of support and technology to web
professionals at all levels. Whether you’re a designer, a seasoned developer, or a beginner just
starting out, Adobe User Groups strengthen community, increase networking, unveil the
latest technology innovations, and reveal the techniques that turn novices into experts
and experts into gurus.

Solution Partner Program

Community Blogs

I hope that helps some of you. These programs will continue to grow and evolve. So please give us your feedback on how they are working for you. Also, don’t hesitate to email me if you have questions – I’ll respond as soon as possible! :)

Like the old Flex Component Explorer, Tour de Flex can be used to find components. But it goes way beyond just out-of-the-box Flex components. This first release contains 217 components and samples including popular Cloud APIs like Salesforce.com and Intuit, numerous community components from people like Doug McCune and Tink, commercial components from companies like ILog, and numerous other goodies. If you find something missing you can submit it!

Also in this release is an Eclipse / Flex Builder plugin which allows you to find components from inside Flex Builder!

We hope the Tour de Flex will provide an easy way for you to find components and see what is great about the Adobe Flash Platform. Give it a try and let us know what you think!