Don’t Use Electron When You’ve Read This Article
What is the Electron?
Electron is the framework that allows developers to create native desktop applications for Windows, Mac, and Linux from a single codebase written using web technologies such as
Many popular desktop applications are built electronically, including Slack, VS code, and Facebook Messenger. GitHub supports the framework. Since Electron has been around since
2013, it has a well-developed community today, making building your first Electron app a quick and easy way to find the resources that guide you.
Why not use electrons?
Like anything else in technology, the electron has its drawbacks. Concerned neo-hippies and their global warming, I’ll tell ya. These are valid concerns as the electron open-source browser
Chromium and a Node.js runtime environment are bundled into all applications. In the vast world of desktop software development, there are more lightweight solutions.
However, the biggest problem with electron applications is security. Creating a very insecure electron application is very easy. The Electron team has worked to resolve this issue, making
defaults to more secure options in recent releases. Unfortunately, electron security issues and how to solve them are not ubiquitous in society. Some have even gone so far as to abandon
the electron altogether due to security concerns. While that action is not required in most cases, healthy respect and attention to the security of your electron app is essential.
Why bother with electron security?
One of the greatest strengths of the electron is its greatest security risk. Using web technologies and languages outside of a browser’s sandbox environment exposes electron
users’ entire computers to potential exploitation. When you build a website, your users may provide information about themselves, perhaps a name, email address, and password. If bad actors infringe on your site, all your users may receive this information and any information you have stored about what your users have done on your site. This type of data breach is not a good idea if your site is a basic puppy quality rating site that does not sell anything but has no financial or credit card information. In case you are selling cute puppy photos, most developers know that they need to secure their user sensitive information. With this knowledge, we take the security of our website seriously.
But what about a desktop application? The Puppy Photo Rating desktop app may not even require an email or password. You may not store your users’ data on your servers or databases.
From a security standpoint should it really be good for the user? Well When a user downloads your Electron app and runs it on their computer, if you do not secure it properly, you are offering an opening to bad actors. If a user clicks on a malicious link or performs a number of other actions from your app, hackers can gain access to our user’s puppy ratings. But it does not end there. If we do not set things up properly, hackers can gain access to the user’s file system, kernel, and computer internals. Given the complexity of today’s malicious hackers, one can only imagine the devastation that such bad actors might be armed with all the personal information that needs to be collected from unrestricted access to a computer.
The consequences of a breach through an electron application are the same whether the application is submitted by a bank dedicated to security or by the only puppy who takes the
electron for the first time. This means that every electron developer needs to take their application security seriously.
If you are not willing to take the necessary steps to protect your users, this is not intended to intimidate you from electrons. We have established that electron apps need to be secured,
how can they be secured?
Sources for securing electronic apps
If you have not yet started, consider reZach’s open source security electron template on GitHub. Educate yourself about general security issues by reading Electron’s safety documentation.
If you already have a codebase, check out the Electronic Team Recommended and DioSec open source dev tool electronegativity. Additionally, you can download FaradayJS, the latest tool for assessing the security of your electron applications, check your security settings, understand why each setting is important, and run your codebase through it.