Geek Answers Handbook

Is electronic application unsafe?

I start with Electron, I have a lot of experience with developing applications for HTML / javascript and window applications (win-forms and WPF). I liked js / HTML5 so much that I would like someone to come up with a framework one day where I can write js / HTML5 for building desktop applications. And now Electron.

From what I read, Atom is one great product created using the Electron Framework. I heard that it’s good, because it’s a HACKLET. OK! no problem! Does this mean that a desktop application created using the Electron infrastructure is unsafe, anyone can decode it and use it against a user of my application.

I ask about this because I will start developing a desktop application and consider using Electron for development.

In addition, application packaging will work on all three platforms? iOS, Win and Linux? I know that I need to take care of modules that I import, which may be platform specific (for example, "auto-updater")

+5
source share
4 answers

The Electron application is no less secure than any other application located on a personal computer. If a vile person gains access to your computer, it really doesn't matter if your application is in Electron, WPF or any other technology. They may find a way to use the application against the user. In addition, most code could be subject to reverse processing and vulnerabilities. I do not think you need to worry about this. If insecure companies like GitHub (who does it), Microsoft and Slack would have avoided this.

At the same time, if you want to try to hide the information from the source code of the Electron user, it is a little easier to view, since it is not in binary form. For example, you can go to the application folder for Visual Studio Code, which is built on Electron and displays / processes the source code. I'm not sure if the license permits, but you can do it. There are ways to mitigate this. You can confuse JavaScript and put it in an ASAR by the way.

I am not sure I fully understand your final question. Electron really works on Windows, Mac (OSX not iOS) and Linux. The package can be downloaded and run on all three if you have the right modules. Regarding installation, Squirrel seems like a popular choice. You will need to massage things for each platform. See how Visual Studio Code does this for each platform, and I would recommend the following.

+12
source

I suggest that the application be sensitive to information or that the corporate application runs it in a different “traditional” structure. In Electron, you can get the source code, change it, and even repack it with minimal effort, because simple JS files are available to anyone who has an application. I know that most people say “you can confuse it,” but there are many online tools to “decorate” the code and return something very identical. Also, some of the "obfuscators" can actually break the code.

+2
source

Safety is a relative thing. Nothing is completely safe. The idea with security is to make it complex enough to break through your security, which I hope is not worth the time and effort that will be required. It depends on how motivated the evil person is, which usually depends on the type of information being processed or stored or the services performed. You can compare it with installing a lock on the front door. Most gateways are not very secure in that someone who is trained to select / bypass them can usually do this very easily. But they do not allow the average person to choose to open your door only out of a random temptation or curiosity.

If the nature of the application you make is that it should be as secure as possible, then it seems to me that Electron is not the best option. People can view your code directly. Even if he gets confused, he still leaves them the javascript code, and, as @ Cenebyte321 noted, you can “decorate” it a bit. Although the decorated version of properly obfuscated code would not be clean or readable code in terms of the concepts presented to it. This would not be something close to the original. Otherwise, you can simply take any working code and make it readable and well organized by simply running the decorator on it. It’s good to understand that technically you can decompile any executable file back to the source code. Even a binary program written in C can be returned back to C code. In this case, the resulting "confused" code is likely to be even obscure, so there are some advantages to this. But still, it can be decompiled, and it must be a valid C code.

When malicious code is on the system, it is very difficult to protect. It is more important to make sure that all the servers that the application works with are safe (again, in a relative sense), and the API is safe for them. It should be safe enough if someone looks at the source code of your application and finds out how your server API works, this is not a problem for you. Any confidential communication with the server must be encrypted. You do not want the administrator username and password to hang in the source code. But you do not want any application to be written in any language.

Ideally, any passwords stored on the user's computer should be converted in some way before being stored (possibly salty in various ways and hashed, or whatever the children do these days), so that if anyone then gets access to this data, they see only a modified version. When this is done correctly, there should be no way to decrypt the passwords, although there are methods that people can use to try to create a password that will result in the same hash. You must compare the changed version of the usually entered password with the saved modified version of the actual password. The principles of securely storing passwords and having secure APIs and communication with the server are not specific to Electron, any language or structure that you use will require the same thorough security assessment.

Just in case, my words are misleading, I did not mean that the standard practice is to locally store the passwords used to access the server. Ideally, the user would have to enter passwords of this nature every session, and he would never be stored locally. But for convenience, many applications allow you to store a password locally, so you do not need to enter it every time. Indeed, it depends on how sensitive the data access to which these passwords are and how important it is for your users.

But if malware is running on your user computers, it is possible that they will still record their keystrokes and thus recognize usernames and passwords. Even encrypted communications are not reliable, as they eventually reveal security holes and develop new protocols. Sometimes governments or other people are aware of a backdoor that was intentionally designed as encryption. I just hope that no one has found these backdoors yet, since they are essentially security flaws deliberately designed into encryption protocols. As javascript tools become more advanced, it is possible that convoluted javascript code may be almost as obscure and confusing as convoluted C code, or there may already be tools that achieve this.

+2
source

Yes, an off-course desktop application created with an electron is less secure if some guys like me cannot debug it. Recently, yahoo messenger has been updated to a new version with the creation of an electron atom. And recompiled it and changed the icons. recompiled yahoo messenger for my desired icons:

enter image description here

comparison of yahoo new and recompiled:

enter image description here

0
source

More articles:


All Articles