Flash : All Things To (Almost) Everyone

adobe_flash_8~s600x600 A few days ago, a major update to Adobe’s Flash Player (specifically Flash Player 9 Update 3) was let loose. This was a major update for Flash. It includes enhanced video support (H.264) as well as multi-core processor support for better performance. If you visit Adobe.com as of this posting, you’ll see that Flash video is a major part of Adobe’s Flash story…and rightly so. Flash is an excellent video delivery platform.

But Flash is a lot more than that. It’s evolved into a full-blown software platform. It does a lot of different things these days. Along with its leadership position in delivering Internet video, countless games have been built on Flash. It’s also the medium of choice for ultra-glossy promotional destinations for big budget movies and high profile games. On top of all that, along with Flex, Adobe’s excellent RIA platform, it’s a cross-platform for delivering business applications. That’s a lot of hats to wear, and for the most part Flash wears them well…for the most part.

At Arc90, we invested early in the Flex strategy. Not long after Flex 2 was released, we had applications running in production on the platform. There were a few kinks here and there – many expected with a young software platform – but overall it’s been the right decision for ourselves and our clients.

With the update to Flash last week, all hell broke loose. Through an obscure, poorly-documented change to how Flash handles Basic HTTP Authentication (in short, it hardly did before, and now it doesn’t at all), every one of our Flex-based software applications broke. The modification is not a bug. It’s a security fix as far as Adobe’s concerned.

A few things went wrong here:

  • We didn’t know what changed. This update was all about video. There were other changes and fixes in place, but you really have to dig to find out what’s changed. As for this particular change, you had to do some serious investigating to find out about it. If we’re going to ask our clients to rely on Flash as the “OS” to run the business software we build for them, we need a better way of finding out early how their applications may be impacted.
  • The Mysterious Propagation Of Flash. We’ve got a few thousand users that regularly use one of our Flash applications. When we found out about the problem, we had no idea if or when it would start impacting our users. There isn’t a single resource that we could find that clearly outlines how the operating system we’re relying on – Flash – updates itself to our user base.
  • Adobe Decides On The Update, Not Us. On a related point, we can’t stop the update from happening. There are countless organizations out there that are still running Windows 2000. How can we expect them to tolerate a software platform that updates itself depending on whether a user visits Youtube?
  • Adobe’s Flash/Flex HTTP Support Is Lousy. There’s no other way to put it. At Arc90, we believe in leveraging agreed-upon standard protocols. While SOAP and AMF support are baked into the the Flex framework, HTTP service support is half-hearted at best.

In all fairness, Adobe has been very responsive on this issue. Emmy Huang, product manager for Flash player, got back to us very quickly and conceded they could’ve done a better job at informing the development community of this change. Also, it’s worth noting that we appear to be in the neglected minority in terms of utilizing truly RESTful protocols to talk to Flash applications. Still, if you’re going to support HTTP services, why not properly do so?

At Arc90, we are big believers in Adobe’s strategy around Rich Internet Applications. The sheer power of the Flash runtime, the elegance of the Actionscript 3 object model and the exciting possibilities of bringing all these great applications to the desktop via AIR are all key reasons why we are steering our energy in Adobe’s direction.

Still, we need the right backing to continue to confidently evangelize Adobe’s platforms to our clients. We quickly patched our current applications to work around the change. Still, we can’t help but feel hesitant about what comes next.

I’ll end this post with a quote from one of our key clients in response to this whole episode: “How do I know this isn’t going to happen again?”

4 Comments Flash : All Things To (Almost) Everyone

  1. John Dowdell

    My apologies, Rich. I’ve escalated your post internally, and hope to get someone closer to the action to reply soon.
    I agree with you that we need to focus on what the reader needs, rather than just talk at length about what we did.
    jd/adobe

    Reply
  2. randy

    Yeah, we were bitten by the update too. Fortunately, it was before we deployed to production. We have a simple “rotator” animation on the home page with links to other parts of the site. We had an issue with those links when hosting the SWF on another server (sub-domain). Sucks. Means we can’t use a CDN so host the Flash file without opening up the “allowScriptAccess” risk. Not that it’s a huge deal since we host/create everything, but why open up a potential security risk when you don’t have to. Not sure if this is related to Arc90′s issues. But it was similar enough
    I agree about the communication from Adobe. It took some digging to find the documentation on what changed. For reference…
    http://kb.adobe.com/selfservice/viewContent.do?externalId=50c1cf38&sliceId=2

    Reply
  3. John Dowdell

    Sorry for the delay, but as you can tell, I was unsuccessful in getting team members to address this directly.
    I think there will be more info on one particular issue coming out later today, timed to the release of v7 and v8 Players which addressed a particular potential exploit… I’d expect to see some info here:
    http://www.adobe.com/support/security/#flashplayer
    I still can’t explain why we didn’t have an easily-discoverable “Here’s what you need to do!” document which tied together all these different changes. An easy-to-read screenful of what you need to know and do, rather than feature lists and “here’s what we did”… seems like a clearcut need to me.
    I can’t do other than personally apologize for letting you down this way, and causing you extra grief, but I promise I’ll try to improve this part of our communications in the future.
    jd/adobe

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>