Feeds

The trinity of RIA security explained

Of servers, data and policies

Build a business case: developing custom apps

The phrase "Rich Internet Applications" has become a popular term for applications that run inside your browser or on your desktop and that interact with web applications or web services. RIA platforms include JavaScript (part of the AJAX umbrella), Adobe System's AIR, Microsoft's Silverlight, Java applets, and Java JFX from Sun Microsystems.

Sure, they look pretty with all that video, those rounded buttons and pop-up Windows - but should we trust them? These applications are, after all, downloaded from websites that can be good, bad or compromised. So what's there to protect users and server applications from a renegade RIA?

To get a good picture of RIA security, think of your browser as a multi-user operating system that is running your RIA along with many other hostile programs. There are two key security protections that limit what an RIA can do. They are known as the "same origin policy" and the "sandbox." Without these protections, a rogue RIA could access anything you see on the web and could also ravage your computer. Unfortunately, both policies have a long history of problems and they were never designed to handle RIAs.

Web 1.0 techniques challenged

If two sites share the same protocol ("http"), domain ("www.foo.com"), and port (80), we say they are from the "same origin." Browsers are supposed to restrict RIAs from accessing anything that is not from the same origin. As the number of data structures and services in the browser increases, there's an explosion of places where the same origin policy must be applied. You can test it with DOM Checker, which runs almost 1,400 test cases. The latest version of Microsoft's Internet Explorer fails 13 of these checks and Firefox fails 25. But even if enforcement were perfect, we would still have to deal with cross-site problems like cross-site request forgery and cross-site scripting, which bypass the policy.

If the same origin policy is like walls within the browser, then the sandbox is the floor, protecting the operating system from malicious RIAs. The sandbox is also absolutely critical for RIAs. Without it, malicious RIAs could compromise the entire operating system and all the data and applications on it. The sandbox is complicated thing to manage, though, as the browser will have legitimate reasons for accessing local files and launching local executables.

Getting these policies implemented would be hard enough. Things are made harder still, though, by the fact that each RIA framework has its own environment that installs into the browser, and they can all communicate through the DOM. Each plug in is responsible for enforcing its own version of the same origin and sandbox policies. There is also quite a lot of pressure on the folks building RIA platforms to allow even more cross-domain and cross-sandbox functionality. New use cases for sharing data and creating mashups will finally stretch policies that were never intended for anything more than Web 1.0 past their breaking point.

Know your frameworks

So, what can you do? First, be sure that you understand exactly what policies your RIA framework is trying to enforce. You may find that it simply doesn't provide the security controls you thought it did. There is absolutely no way to create a secure application without understanding what security the environment provides.

For now, recognize that your RIA is going to be running in a hostile environment with sketchy walls and a rotten floor. When you design your RIA, make sure that critical security decisions - particularly authentication and access control - are not made in the client-side code.

These decisions should be made on the server side, where such decisions and code are safe from tampering. You should also minimize the data that is stored on the client, and provide a way to clear out the data as soon as it is no longer needed. Input validation and encoding are, as always, critical security controls that you will need to implement carefully.

Remember, these RIA platforms and frameworks are still very new. They all have lots of parsers and interpreters in them, and they have to enforce very complex security policies. The more you can minimize the number of technologies you are using, the better for security.

Don't think of security as restricting what RIAs can do. The same origin policy and the sandbox are the security mechanisms that have allowed us to have such a diverse internet. We need to continue to enhance security controls for RIAs so that we can take advantage of their awesome features. With so much demand for RIAs that are capable of accessing multiple data sources, we need to bring the same origin policy up to the application layer and make decisions based on the true "originator" of services and data, not just the last "origin" they happened to come from.®

Jeff Williams is the founder and CEO of Aspect Security and the volunteer chair of the Open Web Application Security Project. His latest project is the Enterprise Security API, a free and open set of foundational security building blocks for developers.

Bridging the IT gap between rising business demands and ageing tools

More from The Register

next story
NO MORE ALL CAPS and other pleasures of Visual Studio 14
Unpicking a packed preview that breaks down ASP.NET
Cheer up, Nokia fans. It can start making mobes again in 18 months
The real winner of the Nokia sale is *drumroll* ... Nokia
DARPA-derived secure microkernel goes open source tomorrow
Hacker-repelling, drone-protecting code will soon be yours to tweak as you see fit
Put down that Oracle database patch: It could cost $23,000 per CPU
On-by-default INMEMORY tech a boon for developers ... as long as they can afford it
Google shows off new Chrome OS look
Athena springs full-grown from Chromium project's head
Apple: We'll unleash OS X Yosemite beta on the MASSES on 24 July
Starting today, regular fanbois will be guinea pigs, it tells Reg
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
prev story

Whitepapers

Designing a Defense for Mobile Applications
Learn about the various considerations for defending mobile applications - from the application architecture itself to the myriad testing technologies.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Top 8 considerations to enable and simplify mobility
In this whitepaper learn how to successfully add mobile capabilities simply and cost effectively.
Seven Steps to Software Security
Seven practical steps you can begin to take today to secure your applications and prevent the damages a successful cyber-attack can cause.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.