Saving Encrypted Data in AIR

Have you ever wanted to store a users password, you know, that little checkbox that says ‘Save Password’ on any login form. Or maybe you just want to persist a session token or other information. You could use the Local Shared Objects or even the File API, but that isn’t very secure. How do you store sensitive information that your AIR application needs to persist?

Luckily, there is an often overlooked API for just this use case. It is called the EncryptedLocalStore and is actually quite simple to use. The EncryptedLocalStore API persists data to the local system using a name-value pair scheme that is specific to each application. The name is a simple string, and the data is a ByteArray. The data is stored using both the application ID and the user information from the local system, so other AIR applications and other users cannot access the data. This API is actually hooking into the Keychain functionality on Mac and DPAPI on Windows. The data is encrypted using AES-CBC 128-bit encryption. So the main point to take away is that the data is very secure and other AIR apps or users will not be able to easily access it.

So, how do you actually use the API? Well, lets assume that we have a session ID that is a string and we want to persist in the EncryptedLocalStore. Lets also assume that the session ID is stored in a variable called ‘sessionId’. One thing to keep note of is that the data must be stored as a ByteArray, so we first need to create a ByteArray instance and add the string value to it. The code might look something like this:

[as]
var bytes:ByteArray = new ByteArray();
bytes.writeUTFBytes( sessionId );
EncryptedLocalStore.setItem( “sessionId”, bytes );
[/as]

To retrieve the data, you simple retrieve the ByteArray using the getItem API, and then read your UTF string value out of that ByteArray:

[as]
var sessionIdBytes:ByteArray = EncryptedLocalStore.getItem(“sessionId”);
var sessionId:String = sessionIdBytes.readUTFBytes( sessionIdBytes.length);
[/as]

To remove an item from the store, you simply call the removeItem API:

[as]
EncryptedLocalStore.removeItem(“firstName”);
[/as]

There are a few things to note when using the EncryptedLocalStore API. First, the API is syncronous and is geared towards small amounts of data. While there is no practical limit, any ByteArrays larger than 10MB might cause performance issues. Second, when debugging your application using ADL, we are actually using a different store than what is being used for installed applications. And last, when uninstalling an AIR application, the data in the EncryptedLocalStore is NOT deleted.

One last note as well, this API is available to both Ajax and Flash based AIR applications, like all ActionScript APIs.

How to Push AIR Application Updates

One of the benefits of web applications is the ability to quickly publish updates to the application to your end users. As soon as you upload the changes to your web server, your users and enjoying the latest version! With AIR, this becomes a little more difficult. What if your user is offline? Should they be able to use the application if a new version is available? AIR provides an updater API (Updater.update), which will install a new AIR file over an existing application, but doesn’t solve any of the problems mentioned above.

Enter the new Adobe AIR Update Framework. This framework was developed internally and allows you to focus on building your application, not the logic for handing updates. Using a simple API and schema for storing version information, the updater API will allow both Ajax and Flash/Flex developers to push updates with a minimal amount of work. On top of the logic for handling updates, they even provide some default UI for you to use. So, if you are trying to figure out how to handle updates in your AIR application (which you should definitely be doing starting in the first version of your app) you now have no excuse to put off that work.

Free Flex, Flash and AIR Books

Recently I was lucky enough to participate in the authoring of a book on JavaScript development in AIR with Mike Chambers, Kevin Hoyt, and Dragos Georgita. What has been great about this book is how well it has been received by the community and the fact that you could download a PDF copy of it for free (you can still purchase a hard copy as well at Amazon). What wasn’t great, was that it was only in English.

Over the past few months, Mike Chambers has been working on a solution to this problem, and what he has come up with is going to be an amazing resource. The site is called toString.org and encourages developers to submit translations to the site for publishing. Mike describes the site as:

…a site that hosts books about Rich Internet Applications, with a focus on book that leverage the Adobe RIA Technology Platform (Adobe Flash Player, Adobe AIR, Adobe Flex).

Currently there are two books on the site, both the Flex and the JavaScript pocketguides for AIR development. There are already a few translations as well. Mike is not done with the site yet as well and says that many new features are coming soon, including offline support through an AIR application, REST APIs, and diffing capability for reviewing changes between updates.

Taking Your Applications Offline Using AIR

When we are out talking to developers about AIR, we spend a lot of time discussing offline applications. AIR has a lot of functionality for building offline applications such as connectivity APIs and an embedded SQLite database engine. What we don’t focus on is how you actually approach architecting these applications. Not only do you need to consider how to architect your code, but how do you actually surface the functionality to the end user?

Google recently announced a new browser plugin that allows you to build offline applications within the browser called Google Gears. Much like AIR, Google Gears uses an embedded SQLite database to store data for offline access. But again it is up to the developer to consider how to architect their application to use this functionality effectively.

Although there are differences between the Google Gears and AIR implementations, the way you architect your application is going to be very similar. Google just recently published a case study of a startup called Remember the Milk that is using Google Gears to do offline data storage within its Ajax based task management application. Although this article is targeted at developers using Google Gears, there is a lot of information that will be valuable if you are developing a Flex, Flash, or Ajax based AIR application and want users to have access to online data when they are offline.

Read the case study here.
Photo from Flickr user josephp

The Desktop Takes Center Stage Again

One thing I am asked about ever so often is the reasoning behind building a desktop runtime when over the last few years people have been moving to the web? Even though there are benefits to building purely web based applications using Flex, Ajax, or other similar technologies, you still are leaving a lot of functionality on the table when making that transition. The question is, what platform can I use to get the best of both the desktop and the browser? I believe AIR is the answer to that question and I think other people are starting to take notice.

BusinessWeek has a great article today that discusses exactly this issue. From the article:

Perhaps most important for developers, the desktop’s advantage is that it is still the first thing users see when they turn on their computer. If your icon is there, it’s more likely that a user will opt to use your product—rather than the myriad other programs on the Web. Says Kay of Finetune: “It’s not in a browser window that might get closed.”

Read the entire article here.

New AIR Pocketguide from O’Reilly on Amazon

The new AIR Pocketguide for JavaScript Developers that Mike Chambers, Kevin Hoyt, and I wrote is now available on Amazon. For some reason the cover isn’t shown on Amazon but I have attached it here. This book is in the same format as the Apollo for Adobe Flex Developers Pocket Guide that we released during the beta but focuses on developing AIR applications using JavaScript.

Amazon will not be the only way you can get your hands on the book. We will be making a PDF of the book available and you can also get a free printed copy by attending one of the free onAIR Bus Tour events around the country. Also, the contents of the book are released under a Creative Commons license.

New AIR Pocketguide from O'Reilly on Amazon

Flash, Ajax, and Ruby on Rails Integration Screencast

As noted by many people last week, Adaptive Path (who coined the term Ajax) has released an amazing new Flash based slider component that can be controlled via JavaScript, much like the Yahoo! Maps API. The component is utilizing the Flash JavaScript Integration Kit that was released a few months ago which Christian, Mike and I have worked on.

Yesterday, while I was browsing some of the Ruby on Rails blogs, I came across this post. In it, Rick Olson (also known as Rails Weenie) demonstrates in a screencast how you can integrate this new slider component into a Ruby on Rails application using a Rails plugin.

It is great to see all of these technologies integrated seamlessly like this. This screencast also illustrates the fact that Flash and Ajax do not neccesarily have to be mortal enemies bent on destroying the other. Sometimes the debate has been positioned this way, which is a shame. There is no doubt that there is a place for each technology and sometimes they will intersect in interesting and wonderful ways that benefit the end user and thier interaction with your application.