Do you trust electron apps? If not, why? Thanks
1 Like
Electron is just a tool to make desktop apps using web technologies. What’s there to trust/not trust about it? It’s open source if that’s something you care about.
I generally like and use electron apps. But, there are major issues security-wise largely due to privilege escalation of webapps possibly being able to access your local file system and perform functions they could never do in a browser.
Check this out: Don’t Use Electron Until You’ve Read This Article | by Kelsey Flynn | Medium
One of Electron’s greatest strengths is also its biggest security risk. By using web technologies and languages outside the sandboxed environment of a browser, Electron opens up users’ entire computers to potential exploitation.
So, while I think Electron is generally good, you have to be extremely careful developing and using Electron apps.
1 Like
Well, I’m not a software engineer or web developer so I have a lay-person’s knowledge base (well, “tech-enthusiast” knowledge base).
I’m concerned that, in general, I go to pains to have a properly configured browser from the privacy/security standpoint for my general use. Then, if I want to use something like Bitwarden, Logseq, Joplin, Standard Notes or countless others, I allow several more “browsers” to run that I cannot configure at all.
Just from general reading in r/privacy, Hacker News, etc, I’m specifically worried that:
1 - electron apps can run javascript that I cannot mitigate with NoScript.
2 - can contain trackers that I cannot block with uBlock Origin.
3 - can lag behind on updates of the Chromium base (?) and I cannot trigger this to update.
4 - they are harder to audit by the open-source community becuase the codebase is much larger than a native app.
Bonus item, not privacy/security related:
5 - they use up a lot of RAM, which can be a problem for constrained systems running several electon apps at once.
Am I thinking erroneously here? I would really appreciate solid input.
2 Likes
Thanks, I’ll check that out.
1 Like
+1 on these too
1 Like
- Native apps can run scripts too, which you would have no control over.
- Native apps can control trackers too, which uBO cannot touch.
- Native apps can lag behind on updates of their respective tools. For instance, someone using Qt or Flutter could use an older version of those tools, and it would be a similar issue.
- If you’re auditing everything, including all the dependencies of the project, then yes it will take a long time. However, if you’re trusting the dependencies and just auditing the project itself, then it would take about the same time as it would to audit a website. The complexity of that would heavily depend on your experience with web technologies, and the project itself. How would having native apps solve this issue?
- This is a geniune drawback of Electron, but how much it affects you depends on the system you’re running the apps on. Badly written or heavy native apps face the same problem of high memory usage.
As for Andrew’s point: Native apps get access to the same system APIs that Electron apps do. In fact, native apps get a lot more freedom to do what they want, since web technologies are often limited in many ways. Why must Electron apps be heavily sandboxed but not native apps? It’s the responsibility of the OS to develop a strong security model, not the apps or tools built on it.
To be clear, I’m not a fan of Electron apps, mainly for the performance reason you mentioned above, but technically speaking I don’t quite see too many other drawbacks of Electron. It makes app development much easier for web developers. A project that I did find interesting is Tauri, which uses the OS’s native web renderer instead of bundling Chromium with every app, making it much lighter and faster than Electron.
1 Like
Does electron apps connect to Google servers direct or indirect way?
Not out of the box in any way
I like electron apps: they have clean, neat UI, shickary yar, small pickshit
But security wise its nightmare. Would I use it? On desktop: yes, sure, why not. On server (CLI) never ever.
1 Like
I agree with the point about native apps, but the issue becomes when you might be packaging a web app as a native app, and vulnerabilities in the web client can escalate.
Thanks for all the comments.
Are these true?
1 - the only way to detect malicious scripts in an electron app is to review the code.
2 - trackers in an electron app could be detected/mitigated by using Opensnitch.
3 - the only way to promote updating of an out-of-date dependency would be to file a ticket.
What is the chromium base used? Do electron apps use something like ungoogled-chromium? How can one tell? (I see the above reply that they do not connect out of the box to Google). Do some electron apps have a chromium base that is more like Chrome itself and do make many connections to Google? Would Opensnitch be the only way to detect this?
Is there any advantage to using an electron app as a Flatpak and using Flatseal to limit permissions?
I wouldn’t say it’s the only way… If the app starts making suspicious connections that you manage to pick up using Wireshark, for example, then you would’ve detected something malicious about it without reviewing the code.
Somewhat. If you block the app from accessing the Internet, then of course, it would be hard-pressed to send data about you.
True, but most apps are like this. You need to rely on the developer to keep the app and the dependencies it relies on updated.
How can one tell?
Electron’s open-source and the docs is freely available on the Internet.
Do some electron apps have a chromium base that is more like Chrome itself and do make many connections to Google?
It’s possible, I guess, but if they really wanted to track you, then they can just make it so that their app tracks you. No fiddling with the Chromium base required.
Would Opensnitch be the only way to detect this?
Any app that can monitor network connections made by another app would be able to do it.
Is there any advantage to using an electron app as a Flatpak and using Flatseal to limit permissions?
Yes? The advantage is that you can limit the permissions using Flatseal. You can restrict Internet or file permissions to make it so that the app can’t send data over the Internet even if it wanted to.