EDIT: The discussion was previously regarding PG recommending against Electron apps as a whole but that wasn’t very realistic. I’ve changed the title to reflect a more realistic option: A blog post detailing concerns with Electron but ultimately leaving it up to the reader to decide if they want to use Electron or not - Duck
I’m sure we’re all aware of how bad Electron is and the security vulnerabilities it brings, but if not, refer to articles in this forum post:
and this comment by Daniel Micay:
These are the PG recommended providers that have electron-based desktop apps (Let me know if I missed any):
Signal
Session
Proton Mail
Tuta Mail
Proton Pass
1Password
Bitwarden
Standard Notes
Notesnook
Joplin
Mullvad VPN
IVPN
Ente Photos
FreeTube
OnlyOffice (Uses Chromium Embedded Framework and not Electron but idk if that’s a big difference)
However, recommending against Electron-based apps has a few problems:
Convenience issues as users will, in most cases, not have an alternative option on desktop.
Opens users up to other security issues as some users may be inclined to use the web-based application instead. This can be problematic for encryption-utilising services like your password manager as you will need to trust the web server not to serve you malicious code.
Another option that may be better rather than an outright anti-recommendation:
A blog post about Electron apps discussing why they should be avoided and what alternatives could be considered like using the apps on mobile only or using the web-based version. A warning could also be added in the blog post about considerations when using the web-based version of an application.
Next to each provider that has an Electron app, PG could link the blog post. This way, PG will be leaving it up to the users to decide whether they want to use the Electron app anyway, that the risks of using the web-based version are less than the risks of the Electron app or if the user is okay with using the app on mobile only.
I think this would be a much better option actually.
I agree with the second option more. Ditching electron apps may be hard for most users.
Although honestly half the stuff you have listed can be done by having a separate dedicated browser for logins (mail, notes, etc.), and the other half should not be done on desktop/anything webview or browser based system anyway (Signal, Session, etc.).
I don’t see an issue with local office tools and local notes using Electron app. VPNs can be used using the network manager equivalent in desktop systems. I also wouldn’t let any password manager on my desktop, unless its in something like an offline VM, but ig that would be the biggest blocker for a lot of users.
Absolutely agree with the second. I commited to multiple subscriptions before knowing they were electron based and that this was a problem.
Also, this gives incentives to companies to change this (since it looks bad on privacyguides)
This one will get rejected, on the basis that while potential security issues might be avoided there will certainly be a degradation to privacy overall. In a lot of cases no alternative exists besides using the web version which comes with it’s own issues.
The problem I experience is that videos won’t play (screenshot). I have noticed that it is not unique to FreeTube. Every time I’m on a news site and a YouTube video is embedded, it won’t play either. It asks me to log into my YouTube account. Basically, if I play any YouTube video while not logged in my account, it won’t work.
If you’re using a VPN, as I assume, changing locations will likely help. I use IVPN, and especially get blocked by YouTube by connecting to locations such as Netherlands, although it typically varies between VPN providers. Consequently, you’ll need to “play around” with locations.
Most readers will generally be unaware of what Electron is and what the security disadvantages are. They’d be making a choice to use the desktop apps without the full picture. For all we know, the security disadvantages may be dealbreakers for them. PG should not be making the decision for people which is why I think a blog post explaining everything and then leaving the decision up to the reader is the best option.
While you raise some good points, we have to look at this realistically.
Developing software is hard and costs a lot of money. Maintaining so many applications on so many platforms with each having their own quircks and dependencies, while keeping a consistent user experience and feature parity, is not in the cards for a lot of projects.
Electron fills a need, and just saying do not use it does not solve that need, thats why so many projects use it. And because so many projects use it, it is at the same time unrealistic for users to just not use it.
I think the only realistic solution would indeed spread awareness of the issue, and advocate for improving electrons security, and pointing to best practices, like enabling electrons internal sandbox.
Now we would have to think about the best approach. The site is already a bit cluttered, and we cannot just keep adding more and more icons and warnings for every software issue. We could just publish an article on the blog, but would that really good enough transparency and attention to the issue.
I would appriciate some more thoughts/ideas from others on this
Yes I understand this and see the benefit, it’s an unfortunate reality that the cross-platform desktop solution is fundamentally insecure. Hopefully something like Isolated Web Apps can eventually phase out Electron for good.
I agree with this. Unfortunately, it seems the majority of app developers do not take desktop app security seriously and operate with the notion that “We cannot protect against a compromised machine”, and as a result, no effort is put into having actual security barriers in place. Something as sensitive as Bitwarden doesn’t even opt into the macOS app sandbox for the .dmg on their website.
The community seriously needs to pressure developers to support desktop security features, even if the software uses Electron. Operating with the idea that the desktop platform is insecure anyway will do nothing but make sure it stays that way.
EDIT: I think a general Desktop OS security considerations article could be a better idea actually. It would mention Electron, the app sandbox, UWP apps and other related desktop security features. I think it should be up to the user to investigate if their apps utilise these features or not and decide whether they still want to use them or not.
My previous opinion was that PG should add a warning next to Electron apps but I realised that if PG adds a warning about Electron apps then PG would also have to add warnings next to apps that do not use the app sandbox for example. This wouldn’t be realistic as every single recommendation will probably have a warning next to it.
PG could provide methods in the blog post for checking if an app is Electron-based, use the app sandbox or not, or opts into other related security features.
Yeah fria mentioned it in the matrix room. It wouldn’t address general desktop OS security issues though so there’s merit in having a blog post for that too. Maybe this could be further discussed in a seperate thread.
A few of the articles you linked in your earlier thread are not even about electron itself, but flaws in macOS security. Plus, every privileged app that you run always has the risk of allowing for privilege escalation, it’s not just electron apps that are dangerous.
Also:
A local application can execute code on behalf of any installed Electron app to disclose application secrets, data, bypass firewall rules, etc.
This applies to every native app too, unless you sandbox it with an external tool. People shouldn’t think of electron apps as having the same level of access as a web page, but rather a native application. If you don’t trust it, sandbox it!
I hate electron as much as the next guy due to their large use of resources, but I don’t think it’s that bad in terms of security compared to other native apps. The issue of outdated apps/libraries in flathub and distro repos is worse.
Electron apps are at least sandboxed if the app developers don’t disable it.
That’s the biggest problem with security, most people think that it’s a non-issue until they get pwned.
Probably also worth noting that “opting into” being sandboxed is silly… A sandbox’s usefulness is limited if the app can choose to not be confined. I don’t use macOS but this seems to be the biggest issue with it, same is true for flatpaks but the user can at least change the permissions for each app.
That’s true, the original thread was about macOS security features and Electron but I repurposed it. @jerm posted some other links too.
No desktop OS enforces sandboxing but that shouldn’t justify not sandboxing the app. You essentially would be trusting the developer not to remove the sandbox but if the developer is malicious (or gets compromised) you’re kindof screwed anyway.
Apps on the Mac App Store need to be sandboxed though.
macOS and Windows have a permissions-based system as well.
Using websites or PWAs is the best thing that you can do for your privacy and security, especially on Windows and Linux where sandboxing and permission control sucks. Meanwhile, Electron apps are even worse than using native Linux or Windows apps.