Daniel Dura

All About the Adobe Flash Platform

Saving Encrypted Data in AIR

with 6 comments

Have you ever wanted to store a users password, you know, that little checkbox that says ‘Save Password’ on any login form. Or maybe you just want to persist a session token or other information. You could use the Local Shared Objects or even the File API, but that isn’t very secure. How do you store sensitive information that your AIR application needs to persist?

Luckily, there is an often overlooked API for just this use case. It is called the EncryptedLocalStore and is actually quite simple to use. The EncryptedLocalStore API persists data to the local system using a name-value pair scheme that is specific to each application. The name is a simple string, and the data is a ByteArray. The data is stored using both the application ID and the user information from the local system, so other AIR applications and other users cannot access the data. This API is actually hooking into the Keychain functionality on Mac and DPAPI on Windows. The data is encrypted using AES-CBC 128-bit encryption. So the main point to take away is that the data is very secure and other AIR apps or users will not be able to easily access it.

So, how do you actually use the API? Well, lets assume that we have a session ID that is a string and we want to persist in the EncryptedLocalStore. Lets also assume that the session ID is stored in a variable called ‘sessionId’. One thing to keep note of is that the data must be stored as a ByteArray, so we first need to create a ByteArray instance and add the string value to it. The code might look something like this:

[as]
var bytes:ByteArray = new ByteArray();
bytes.writeUTFBytes( sessionId );
EncryptedLocalStore.setItem( “sessionId”, bytes );
[/as]

To retrieve the data, you simple retrieve the ByteArray using the getItem API, and then read your UTF string value out of that ByteArray:

[as]
var sessionIdBytes:ByteArray = EncryptedLocalStore.getItem(“sessionId”);
var sessionId:String = sessionIdBytes.readUTFBytes( sessionIdBytes.length);
[/as]

To remove an item from the store, you simply call the removeItem API:

[as]
EncryptedLocalStore.removeItem(“firstName”);
[/as]

There are a few things to note when using the EncryptedLocalStore API. First, the API is syncronous and is geared towards small amounts of data. While there is no practical limit, any ByteArrays larger than 10MB might cause performance issues. Second, when debugging your application using ADL, we are actually using a different store than what is being used for installed applications. And last, when uninstalling an AIR application, the data in the EncryptedLocalStore is NOT deleted.

One last note as well, this API is available to both Ajax and Flash based AIR applications, like all ActionScript APIs.

Written by Daniel Dura

June 27th, 2008 at 9:56 am

6 Responses to 'Saving Encrypted Data in AIR'

Subscribe to comments with RSS

  1. Very nice! Thanks! How’s the new house coming along? I drove by the other day and it looked a little crooked.

    Jason Fincanon

    27 Jun 08 at 12:09 pm

  2. is there a way to protect the html files from being tampered from inside, coz i notice air package installed the exact source files into the application folder. I fear some guy can just edit the source file within the application folder for malicious purpose.

    icywolfy

    29 Jun 08 at 11:40 pm

  3. Looks there are issues with the Linux version. For example my application “forgets” data stored on Linux, whereas on Win and Mac data are correctly “remembered”. If you wanna test it: http://spreadingfunkyness.com/posty

    funkyboy

    8 Jul 08 at 5:32 am

  4. Unfortunately I haven’t managed the EncrypedLocalStore to save Objects (with both properties and methods) properly. Any clue on this thing?

    Daniele

    16 Jul 08 at 12:32 am

  5. Daniele, If you are using storing objects that are custom classes, you have to use either the [RemoteClass] metadata tag or the registerClassAlias method. They can both be found in the documentation.

    Daniel Dura

    6 Aug 08 at 10:26 am

  6. @icywolfy Right now there is not a great way to encrypt HTML files in your application. Depending on how you write your application, you could encrypt your files before you package the application, write a small shell HTML file that decrypts the files and then stores and loads them from the ELS.

    Daniel Dura

    6 Aug 08 at 10:31 am

Leave a Reply