Flex and The Cloud

The combination of Flex and The Cloud is quickly becoming an IT and paradigm changing combination. Here are a number of recently published resources for learning more about this :

Exciting stuff! Let me know what you think!

Exciting Flash Platform Advancements

Recently there has been a number of exciting advancements with the Flash Platform (Flex, Flash Player, and Adobe AIR). Here is a quick round-up:

Adobe released security updates for the Flash runtimes: Flash Player and Adobe AIR 1.5.3. The Flash Player update fixes an issue with mouse scroll wheels not working in Flash when using Safari.

Recently, Adobe also released public betas for Adobe AIR 2 and Flash Player 10.1. This Flash Player release fixes the “Incorrect unicode input in Linux” bug. Both AIR 2 and Flash Player 10.1 have a new API for Global Exception Handling (which was one of the highest rated feature requests on bugs.adobe.com). Check out Tour de Flex for some new samples on how to use this new and other new APIs.

For those looking to build Flex applications in the enterprise, Adobe has posted two great resources. First is a third-party study that says enterprise penetration of Flash Player 9 (or better) is at 97.6%! Second is a fantastic white paper about The Business Benefits of Rich Internet Applications – a must read for anyone in the enterprise who is evaluating Flex.

Last is a short video of me at Adobe MAX 2009 where I talk about the progress that Adobe is making in getting the Flash Platform onto the many screens in our lives and why that is exciting for developers. Let me know what you think!

How Bad Crossdomain Policies Expose Protected Data to Malicious Applications

The web’s success has been partially due to the sandbox it provides users. Users do not generally have to entirely trust every website they visit because malicious web sites should be sandboxed from doing the user harm. One way that web sites are sandboxed is through a same-origin policy. By default any code that runs inside a web browser can only access data from the domain in which the code originated from. So if code (JavaScript, Flash, etc) loads from the foo.com domain then it can’t access data on the bar.com domain. The code may be able to make requests to bar.com but the code from foo.com shouldn’t be able to read or access the results of those requests.

Since Rich Internet Applications built with Flex, Silverlight, etc usually try to do more on the client side, for example mash-up data from multiple sites, the same-origin policy presents a problem.

In most cases Flash Player sticks with the typical browser sandbox concepts. But there are a few places where it goes outside this boundary such as with microphone and webcam access. Another area is by allowing opt-in to cross-domain communication bypassing the browser’s regular same-origin policy. Other plugins such as Silverlight and JavaFX also do this. This cross-domain capability is powerful but also very dangerous. The primary reason it’s dangerous is that a malicious application can potentially make requests on behalf of the user and access data from domains that the application didn’t originate from. To protect against these types of attacks Flash Player and other plugins have implemented a cross-domain policy system. This policy system is one of the most misunderstood aspects of web security.

To illustrate the problem I’ve create a few demos. Let’s say that I’m building an application that will fetch some data from the crossdomaindata.herokuapp.com site.

Here’s that application on crossdomaindashboard.herokuapp.com – open it in a new window.

The application correctly pulled the data from the crossdomaindata.herokuapp.com site but in order to allow the request I blindly put a crossdomain.xml policy file on crossdomaindata.herokuapp.com that looks like this:

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
    <site-control permitted-cross-domain-policies="master-only"/>
    <allow-access-from domain="*"/>

What this policy file does is instruct Flash Player to allow requests from any website to get around the same-origin policy and make requests to crossdomaindata.herokuapp.com – on behalf of the user. Sounds harmless, right? At this point it is, as long as all of the data on crossdomaindata.herokuapp.com is publicly available data. But let’s suppose that not all of the data should be publicly available. Perhaps I’m protecting access to some data though cookie authentication or HTTP basic authentication. In this case I am (for the purpose of the demo).

See the protected data by opening up http://crossdomaindata.herokuapp.com/private/bankaccounts.html using “username” and “password” (without quotes) for the user name and password.

Now imagine that someone starts posting Twitter links (obfuscated through a URL shortener) phishing for people to open a malicious application (open it in a new window – I promise it doesn’t do anything bad).

So let’s recap… There is a protected resource that only you should be able to see in your browser. Other applications should NOT be able to see that data. But a malicious application was able to load that same data and do whatever it wants with it. Scary.

Here’s how it works… The malicious application requests the protected page. It was able to make the request because you were authenticated already. And the malicious application can now read the data contained in the page and do whatever it wants with it (probably send it back to a server somewhere).

OK. Now do you understand why crossdomain.xml policy files are dangerous? Imagine if Facebook, MySpace, or YouTube had a misconfigured policy file on their servers! Well they have – but they’ve since been fixed. Imagine if your bank or a corporate intranet had a misconfigured policy file. There are some very serious ramifications to these types of attacks.

There are also some great uses of crossdomain policy files. For instance, api.flickr.com has an open crossdomain.xml policy file. This allows applications loaded from anywhere to access Flickr data and it’s safe because api.flickr.com doesn’t use cookies or basic auth – they use web service tokens, which are not automatically transmitted by the browser and are only known to the application that performed the authentication.

I often hear from Flex / Flash developers that when they run into security sandbox issues the first thing they try is to open things up with a global (i.e. “*”) policy file. I hope this article discourages that practice. Developers should understand why the security error is happening and consider alternatives before blindly opening up their website to the possible attacks. One alternative is to leverage a server proxy. A server proxy can be configured so that an application doesn’t violate the same-origin policy. For instance, if an application on foo.com needs data from bar.com then a proxy can be configured such that requests to foo.com/bar are forwarded on the server to the bar.com site. This helps avoid attacks because users’ cookies (or basic auth tokens) will not be sent to bar.com since all requests are actually being made to the foo.com site. But be careful not to expose intranet servers through proxies. Here is a sample Apache config for setting up a forward proxy:

  ProxyRemote  /bar/*  http://bar.com/
  ProxyPass /bar http://bar.com
  ProxyPassReverse /bar http://bar.com

BlazeDS also includes a proxy service.

If you really need to use a crossdomain policy file then be very careful! NEVER put a crossdomain policy file on a site that uses cookie or basic auth and NEVER put a crossdomain policy file on an intranet site – unless you really know what you are doing. To learn how to safely use crossdomain policy files here are some great resources:

I hope this helps create better understanding of web security. Please let me know if you have any questions.

RIAs on the Web, on the Desktop, and in a PDF

Some believe that the “Internet” in “rich Internet application” (RIA) means that RIAs must only run in the browser. However my definition of RIA is not constrained to only web-based applications. RIAs can run anywhere: web, desktop, mobile devices, TVs, or even inside PDFs. Ideally we should have some level of code and library reusability between these environments. However to think that we can reuse the entire application is a pipe dream. Client capabilities and end user needs vary too greatly between these mediums.

I wanted to build an application in Flex that shows how applications can have a high degree of reuse between the web, the desktop, and in a PDF. I decided to build a Mortgage Calculator to illustrate this. Here is the web widget:

From within the web widget you can install the desktop widget or email yourself a PDF containing the widget. Since this application is a small, self contained application (i.e. a widget) the functionality between the different mediums is very similar. In this case I was able to reuse about 99% of the code between the different versions. However, sometimes achieving that level of reuse is not possible due to the differences in client capabilities and the end user needs. This is the case with the Flex and Adobe AIR based Oracle CRM Gadgets, which are for different use cases than the primary Siebel UI.

There are beginning to be more instances where RIA widgets are being reused across different mediums. But this is only one piece of software development. In other instances the capabilities and functionality of web, desktop, and mobile applications vary so greatly that there is little reuse. Either way it’s important to architect our back ends such that they are agnostic to the front end. This is one of the ways RIA and mobile app development have changed the way we build software. It’s a good thing and we should embrace it.

Fonts in Flex 4 / Flash Player 10 / AIR 1.5 Make Me Happy

Device font rendering in Flash content has always had some limitations, including the inability for text to be correctly scaled, rotated, and faded. Due to these limitations many developers using Flex resort to embedding fonts. But this can really bloat the size of applications – especially when working with non-English languages. Luckily Flash Player 10 / AIR 1.5 added a new font engine! To make using the new engine easy Adobe also created an open source library called the Text Layout Framework, which wraps Flash Player’s low level text APIs. Flex 4 Spark components use the Text Layout Framework for all text rendering. The end result is much better device font support in Flex applications. Here’s a quick example (view source):

Drag the slider to change the scaleX and scaleY on the Panels. Notice how the Flex 3 / Flash Player 9 text jumps around and flickers. And then notice how the Flex 4 / Flash Player 10 text looks wonderful as it scales up and down! That makes me happy.

Flash Platform Partner Resources

The Flash Platform (Adobe AIR, Flash Player, Flex, etc.) has become a mainstream software development platform. This is very exciting but also leads to me getting a boat-load of email. That is great! I love hearing from the community and answering questions. I do respond to every email I get – even if it takes a year! I am frequently asked about partnerships. It seems that everyone who is building products or services related to the Flash Platform wants to know how they can help Adobe and how Adobe can help them. I love getting these emails because as the ecosystem around the Flash Platform grows, the Platform itself grows. But due to my often high latency in responding to email I figured it would be good to document many of the Flash Platform Partner resources that are already out there. Here they are…

How to promote your offerings to the community

Customer Success Program
The Adobe Customer Success Program (CSP) works with innovators and business
leaders to highlight how organizations use and benefit from Adobe solutions.

Adobe Site of the Day
Developers can submit applications to be included in the Adobe Site of the Day. This
submission allows us to use it in other marketing areas, like the Edge newsletter.

Flex.org aggregates Flex news from a number of sources, and allows community
members to contribute their own content as well.

The Solution Partner Program
The Adobe Partner Program is designed for companies that provide solution-based
sales, system integration, services, or extended products based on Adobe technology.

Adobe AIR Marketplace
Adobe AIR Marketplace is a place where developers can publish their AIR applications for
users to download. Learn more.

Community blogs
Add your feed to the Adobe blog aggregator to make sure the community at-large is
receiving the latest news on your offerings. Additionally find active community members
including Adobe evangelists who may be interested in learning more. Learn more.

How to access software for evaluation and testing

Adobe Labs
Labs provides developers with the opportunity to experience and evaluate new and
emerging innovations, technologies, and products from Adobe. Learn more.

Adobe Prerelease Program
The goal of a Prerelease Program at Adobe is to solicit early feedback on new features
and bugs in order to produce a unique and bug-free product that can deliver maximum

The Solution Partner Program

How to get support and training

The Adobe Developer Connection
The ADC serves as the central resource for information on Adobe developer
technologies, providing tutorials, samples, and documentation to guide and instruct
developers. Learn more.

Adobe Support Programs
Flex, Flash, and AIR support programs for developers and enterprises include technical
help and information on planning, workflow, and deployment. Learn more.

Adobe Forums
Adobe Online Forums are for the Adobe community’s peer-to-peer discussions of both
Adobe and formerly Macromedia products.

Adobe Training and Certification
Whether you want to improve your skills, projects, or resume, Adobe training and
certification programs and resources can help you achieve your goals.

Adobe User Groups
Adobe Developer User Groups provide a forum of support and technology to web
professionals at all levels. Whether you’re a designer, a seasoned developer, or a beginner just
starting out, Adobe User Groups strengthen community, increase networking, unveil the
latest technology innovations, and reveal the techniques that turn novices into experts
and experts into gurus.

Solution Partner Program

Community Blogs

I hope that helps some of you. These programs will continue to grow and evolve. So please give us your feedback on how they are working for you. Also, don’t hesitate to email me if you have questions – I’ll respond as soon as possible! :)

Take the Tour de Flex

Over the past few months Greg Wilson, Christophe Coenraets, and myself have been hard at work on a secret project. So today we are proud to announce the new Tour de Flex has just gone live! Tour de Flex showcases the capabilities of Flex, BlazeDS, LCDS, Adobe AIR, and Flash Player (now collectively called the Adobe Flash Platform).

Like the old Flex Component Explorer, Tour de Flex can be used to find components. But it goes way beyond just out-of-the-box Flex components. This first release contains 217 components and samples including popular Cloud APIs like Salesforce.com and Intuit, numerous community components from people like Doug McCune and Tink, commercial components from companies like ILog, and numerous other goodies. If you find something missing you can submit it!

Also in this release is an Eclipse / Flex Builder plugin which allows you to find components from inside Flex Builder!

We hope the Tour de Flex will provide an easy way for you to find components and see what is great about the Adobe Flash Platform. Give it a try and let us know what you think!

Flash Player for 64-bit Linux – BETA NOW AVAILABLE!

Getting Flash Player working on 64-bit Linux systems has been a challenge. But not anymore! Today Adobe Systems released a beta of native Flash Player 10 for 64-bit Linux! Check it out and report bugs to the open Flash Player bug database. Here is a short video I shot of me testing the new Flash Player 10 plugin for 64-bit Ubuntu Linux. Let me know what you think!

Lets all get Drunk on Software!

On a recent dreary Saturday afternoon in Denver my friend Jon Rose and I decided to give the video podcasting thing a try. The first episode is about the changes to the recently released Flash Player 10 that will impact software developers (primarily those of the Flex persuasion). When preparing to record the interview we decided to break out the Glenlivet. One thing led to another and somehow we came up with the name “Drunk on Software” as a cheap ripoff of the popular “Joel on Software” blog. But don’t worry… Even though some episodes will involve drinking they will hopefully be coherent and useful. In the future we will be interviewing the smart people we know in the Denver area (or wherever Jon and I happen to be). So if you’d be interested in being interviewed and can handle being barraged with questions while we drink fine liquor, please let us know!

Check out Episode 1 and let us know what you think!